Service accounts are getting revoked when user/account gets revoked

Similar Messages

• User pictures are not shown when users are added to person field in custom list

  Hi,
  Recently we have migrated our intranet from SP2010 to SP2013. We upgraded User profile service application, My sites and Intranet site to new environment. We haven't upgraded sites to use SP 2013 templates due to some business decisions. Everything
  is working fine and as expected.
  There are few lists in our environment where we have added users in a persons fields and allowed to show their pictures with details along with name. these user pictures are not being shown on to the page. After looking in picture property I found that "white
  Space" in a picture library name is replace by %2520 instead of %20 (/user%2520photos/profile%2520pictures).
  I tried reproducing problem on a new team site with SP 2010 template and it is reproduced however it is not occurring for a team site with SP 2013 template.
  Any suggestions would be very helpful for resolving this issue. Thanks in advance.
  -Amol Meshe

  We are experiencing the same issue. We get a /User%2520Photos/Profile%2520Pictures/ path anytime we use the people picker field with the option to display picture or the picture and details option.
  EDIT: This is only a problem on the list view. If you open the display form the image shows just fine. I can't see any setting view Edit Page and updating the web part that contains the list data to correct this.
  Michael Allen (.NET and SharePoint 2010 Developer)

• Reporting Services connections are getting dropped by Oracle RAC

  My current customer is using Oracle RAC (11g) for their data store. They currently are using SQL Server Reporting Services to connect to it. We are experiencing an issue where the connection appears to be redirected at the server which causes the connection to be lost with the client.
  I am curious if this is "by design" or if we need to review some configuration settings to better handle this.
  We have 3 VIPs fronting the RAC and they are all specified in the TNSNAMES.ORA file.
  Any feedback or input on this issue would be greatly appreciated.

  Hi,
  I suggest you look at:
  http://www.oracle.com/technetwork/database/clustering/overview/awm11gr2-130711.pdf
  and the similar paper from 11.1:
  http://www.oracle.com/technetwork/database/clustering/overview/awmrac11g-133673.pdf
  This explains the basic concept, of how clients should connect to the database, and probably clarifies your issue.
  In generall Oracle will not redirect during runtime, only during connection time.
  This however should not be of an issue, if you connect to a service. (You shouldn't connect to a SID since 8.1.7 anymore).
  Regards
  Sebastian

• SharePoint Service Accounts - Passwords have expiration date when they are set to never expire

  The managed accounts in my farm all have the Enable automatic password change
  unchecked.  Also these same accounts in AD have the Password never expires
  checked. 
  If I use get-spmanagedaccount to view the accounts, some passwords show as already expired or have a future expiration date.  The automatic change is set to False and nothing is listed under the Change Schedule. 
  The strange thing to me is that the passwords listed as expired are still valid and haven't been changed.  I even ran an iisreset just to check and there were no issues.  When I look in CA the next password change area is blank for all accounts.
  My question is why do the accounts list a password expiration date if it's set to
  not automatically change passwords.  If you do change the password through AD you will see a new expiration date set for 90 days later.  I'm just wondering how much I should worry about the service accounts that are listed
  as having expired passwords even though the passwords aren't expired.  My sites and services are running but I'm just curious if this could potentially cause other errors.
  Thoughts?  Prayers?  Condolences?
  Jennifer Knight (MCITP, MCPD)

  I checked the My farm as well, you are correct. Even you did not select the automatic password change still it showed 90 days as expiry. 
  You don't need to worry about it, it will not hurt, one of the dev farm having account which  expired almost 10 months ago. :)
  you can double check with in central admin and you will see no expiration set over their.
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

• HT2589 My company is registered as an App Developer and is trying to sign up to be a content provider to sell content through iTunes, but when we currently go through the process of registering the application and syncing our accounts we are getting an er

  We are getting the following error " You must select a U.S. Tax ID type."  But there is no place to actually input that information.

  Unless you have EE 4G service the UK 3G networks are the base of your problem - they are just far to variable in download and streaming speeds.
  Add to the fact that use can/will eat into your Data usage !
  ITunes Match as a service is pretty experimental at best over 3G and really i think so long as you have a 32GB or larger iOS device sync'ing via iTunes on a PC/Mac remains the best way to transfer music.
  Remember even with iTune Match your music is STILL ON your own PC/Mac HDD !
  Usng the devices tab in iTunes you can customize each differing identified iOS device and load as you please.
  When we have a competitively priced stable and extensive LTE network in the UK then reconsider Match at that point.

• The report server has encountered a configuration error. Logon failed for the unattended execution account. (rsServerConfigurationError) Log on failed. Ensure the user name and password are correct. (rsLogonFailed) The user name or password is incorrect

  I am able to run the report fine in BIDS in the preview window, and it deployes fine.  When it goes to view the report in the browser, I get the following error.  There is no domain, I am using a standalone computer with SQL Server and SSRS on
  this one machine.
  Can anyone point to where I might configure the permission it is looking for?  thanks!  Steven
  The report server has encountered a configuration error. Logon failed for the unattended execution account. (rsServerConfigurationError)
  Log on failed. Ensure the user name and password are correct. (rsLogonFailed)
  The user name or password is incorrect
  Steven DeSalvo

  Hi StevenDE2012,
  Based on the error message "The report server has encountered a configuration error. Logon failed for the unattended execution account. (rsServerConfigurationError)", it seems that the Unattended Execution Account settings in Reporting Services
  Configuration is not correct.
  Reporting Services provides a special account that is used for unattended report processing and for sending connection requests across the network. Unattended report processing refers to any report execution process that is triggered by an event rather than
  a user request. The report server uses the unattended report processing account to log on to the computer that hosts the external data source. This account is necessary because the credentials of the Report Server service account are never used to connect
  to other computers. To configure the account, please refer to the following steps:
  Start the Reporting Services Configuration tool and connect to the report server instance you want to configure.
  On the Execution Account page, select Specify an execution account.
  Type the account and password, retype the password, and then click Apply.
  In addition, please verify you have access to the Report Server database by following steps:
  Go to SQL Server Reporting Services Configuration Manager, make sure the configuration is correct.
  Go to Database, Verify that you can connect to the database.
  Make sure you are granted public and RSExecRole roles.
  Reference:
  Configure the Unattended Execution Account
  Configure a Report Server Database Connection
  If the problem is unresolved, i would appreciate it if you could give us detailed error log, it will help us move more quickly toward a solution.
  Thanks,
  Wendy Fu

• Get real userid from a WDA application that uses service account

  A WDA application runs under a service account. How to get the real userid (i mean, the human user)?

  When running as a service user, the application is anonymous.  In other words no user authentication or identification takes place.  What kind of "real" user information would you expect to get?  Are you running in the NetWeaver Portal?  Or standalone?  What informaiton are you looking for?  Of course nothing within ABAP is going to be able to "see" the real user since the user session is running as the service account. Why exactly are you using a service user anyway?  There are only very few instances where service users in WDA applications wouldn't be a violation of your license agreement.

• Should I use Managed Service Accounts or individual, Domain User accounts?

  I'm setting up a new SP 2013, and I'm trying to be very granular as it relates to "Least Privilege".
  I'm trying to figure out which accounts could be created as Managed Service Accounts (MSA's) and which ones truly need to be created as Domain User accounts in order to run either specific SQL and/or SharePoint services.
  At face value, I *think* any service could be successfully run using an MSA and yet any installation of either SQL Server 2012 and/or SharePoint 2013 should be done using a Domain User account created for that specific purpose (i.e., SP_FARM, SP_ADMIN, SQL_ADMIN,
  etc.). In fact, I *think* the installation would HAVE to be done with an actual Domain User account, because (unless I'm wrong), MSA's do not have a shell and therefore CAN'T log on...which is by design?
  Here's a Microsoft TechNet article that lists many of the accounts I'm referring to:
  https://social.technet.microsoft.com/wiki/contents/articles/14500.sharepoint-2013-service-accounts.aspx
  Note that it says MOST of the accounts are Domain accounts, but I don't *think* all of these need to BE
  Domain accounts - I think MOST of them could be created as MSA's and assigned to run the specific service without any problems whatsoever?
  So again, my question is: which accounts could be created as Managed Service Accounts (MSA's) and which ones truly need to be created as Domain User accounts in order to run either specific SQL and/or SharePoint service or to even perform a
  successful installation of the software?
  Ed

  No, script 1 does not create Active Directory Managed Service Accounts (see here:
  http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx) These are not applicable to SharePoint and are not mentioned in any of those scripts, look at the PowerShell
  commandlets, they are very different.
  Script 1 creates active directory users. These are, as far as AD cares, just standard user objects. There is nothing at all special about them in AD.
  At some point you would install SharePoint using those accounts, during that process they get resisted in SharePoint as SharePoint Managed Accounts.
  Script 2 updates the settings on those managed accounts in bulk.

• Page File error when trying to install AD Managed Service Account

  Hello everyone,
  I am having a bit of an issue with Managed Service Accounts in that when I am trying to perform the install of a single computer restricted Managed Service Account I am getting the error of "{Not Enough Quota} Not enough virtual memory or paging file
  quota is available to complete the specified operation." and I am trying to figure out the problem. I already have 3 accounts that installed successfully on the system but these others are not installing on the system because of this error. Anyone got
  any information on this problem or any suggestions as I am at a loss.

  Hi,
  Please let me know the operating system of your machine.
  This is because, Windows Server 2012 has come with the concept of Group Managed Service Account (gMSA).
  Following are the benefits of gMSA,
  - A single gMSA can be used on multiple hosts.
  - A gMSA can be used for scheduled tasks.
  - A gMSA can be used for IIS Application Pools, SQL 2012 etc.
  Checkout the below link regarding complete information on gMSA (creation and usage),
  http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
  Checkout the below thread on similar discussion,
  http://social.technet.microsoft.com/Forums/en-US/5bc96d1b-0cec-4d0c-a99d-7f34509c0714/how-to-use-correctly-managed-service-account-in-windows-server-2012-?forum=winserverDS
  Regards
  Gopi
  JiJi
  Technologies

• Accounts used by application pools or service identities are in the local machine Administrators group.

  I am getting the Warning: "Accounts used by application pools or service identities are in the local machine Administrators
  group."
  Using highly-privileged accounts as application pool or as service identities poses a security risk to the farm, and could allow
  malicious code to execute.  The following services are currently running as accounts in the machine Administrators group: SPUserCodeV4(Windows Service) 
  OSearch14(Windows Service) 
  SPSearch4(Windows Service) 
  WebAnalyticsService(Windows Service) 
  I understand that the users running these Windows Services must not
  be a local administrator of the server. The user I have assigned for the aforementioned Windows Services are in the following Groups in the SharePoint Server:
  IIS_IUSRS
  Performance Monitor Users
  WSS_ADMIN_WPG
  WSS_RESTRICTED_WPG_V4
  WSS_WPG
  Which group must I remove the user from?

  Since I used the same account for all; I am getting the following error message:
  The server farm account should not be used for other services.
   the account used for the SharePoint timer service and the central administration site, is highly privileged and should not
  be used for any other services on any machines in the server farm.  The following services were found to use this account: SharePoint - 80 (Application Pool) 
  SPUserCodeV4(Windows Service) 
  OSearch14(Windows Service) 
  SPSearch4(Windows Service) 
  Web Analytics Data Processing Service(Windows Service) 
  Should I use another non administrator account for farm Administrator?

• System PATH environment variable issue when user log off and log in or switch from admin to non-admin account

  Hi,
  Problem Description:
  After installing my new product version, when user does log-off and log in again into admin account
  or switch from admin account to non-admin account, PATH environment variable shows incorrect path of my product (previous product version’s path) using command prompt.
  It seems windows refresh issue during session changes (log off and log in / switch from Admin to
  Non-admin account).
  Why PATH environment variable is not refresh immediately after log off and log in again or Switch
  from admin to non-admin mode?. 
  Please see my thread for more details http://social.msdn.microsoft.com/Forums/vstudio/en-US/445ab42c-bdff-405a-8d53-558e1b6c7d34/path-environment-variable-issue-when-user-logoff-and-login-or-switch-from-admin-to-nonadmin?forum=windowsgeneraldevelopmentissues
  Also submitted bug for this in connect.microsoft.com portal.In that it has lots of information
  like problem statement, Reproduction steps and Expected Results.
  Bug ID: 871782
  Could you please any body help me for this?. your support will be appreciated.
  Thanks,
  Marichamy

  Why PATH environment variable is not refresh immediately after log off and log in again or Switch
  from admin to non-admin mode?. 
  I wouldn't have any expectation of what you are doing to work the way you expect.  E.g. why is the %ABC% being replaced at all?  There is some help about this ambiguous scenario in the cmd help...
  /V:ON Enable delayed environment variable expansion using ! as the
  delimiter. For example, /V:ON would allow !var! to expand the
  variable var at execution time. The var syntax expands variables
  at input time, which is quite a different thing when inside of a FOR
  loop.
  /V:OFF Disable delayed environment expansion.
  So, what's the setting for the /V:  switch that your users would be using?  Perhaps you should be using the ! instead of the % for your ABC variable?
  Oh.  There's more below where I found that...
  Delayed environment variable expansion is NOT enabled by default. You
  can enable or disable delayed environment variable expansion for a
  particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
  can enable or disable delayed expansion for all invocations of CMD.EXE on a
  machine and/or user logon session by setting either or both of the
  following REG_DWORD values in the registry using REGEDIT.EXE:
  HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
  and/or
  HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  to either 0x1 or 0x0. The user specific setting takes precedence over
  the machine setting. The command line switches take precedence over the
  registry settings.
  In a batch file the SETLOCAL ENABLEDELAYEDEXPANSION or DISABLEDELAYEDEXPANSION
  arguments takes precedence over the /V:ON or /V:OFF switch. See SETLOCAL /?
  for details.
  If delayed environment variable expansion is enabled, then the exclamation
  character can be used to substitute the value of an environment variable
  at execution time.
   So, I guess the essence of your "bug" will boil down to whether you
  need the feature to get the result you want and the
  truth of that first sentence but it certainly looks like a "can of worms" to me.   ; )
  HTH
  Robert Aldwinckle

• HT201269 Hi. I have shared an Apple ID with my children for some time.  As they are getting older they do not wnat me seeing all their messages, photos etc so want their own accounts.  How can they access their purchased music and apps on the new account

  Hi. I have shared an Apple ID with my children for some time.  As they are getting older they do not wnat me seeing all their messages, photos etc so want their own accounts.  How can they access their purchased music and apps on the new account please?

  Yes.
  On their iOS devices, under Settings>iTunes & App Store, they should use your Apple ID. When they log into iCloud, iMessage and Facetime, they should use their personal Apple IDs.

• EWS API - Impersonating to update a calendar item created by any other user than a service account, raise an error "Access is denied. Check credentials and try again."

  Hi,
  I am new to using EWS managed APIs.
  Following is the issue:
  1. I am using a service account e.g. [email protected]. This user is a global administrator and also has ApplicationImpersonation role assigned. (Sign into Online Office 365 account -> Admin -> select "Exchange" tab- > select Permissions
  on the left panel -> create an impersonation role -> assign ApplicationImpersonation in Roles: and [email protected] in Members: -> Click on save)
  2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected].
  3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
  I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
          private static void Impersonate(string organizer)
              string impersonatedUserSMTPAddress = organizer;
              ImpersonatedUserId impersonatedUserId =
                  new ImpersonatedUserId(ConnectingIdType.SmtpAddress, impersonatedUserSMTPAddress);
              service.ImpersonatedUserId = impersonatedUserId;
  4. It was working fine till yesterday afternoon. Suddenly, it started throwing an exception "Access is denied. Check credentials and try again." Whenever I try to
  update that event.
         private static void FindAndUpdate(ExchangeService service)
              CalendarView cv = new CalendarView(DateTime.Now, DateTime.Now.AddDays(30));
              cv.MaxItemsReturned = 25;
              try
                  FindItemsResults<Item> masterResults = service.FindItems(WellKnownFolderName.Calendar, cv);
                  foreach (Appointment item in masterResults.Items)
                      if (item is Appointment)
                          Appointment masterItem = item as Appointment;
                          if (!masterRecurEventIDs.Contains(masterItem.ICalUid.ToString()))
                              masterItem.Load();
                              if (!masterItem.Subject.Contains(" (Updated content)"))
                                  //impersonate organizer to update and save for further use
                                  Impersonate(masterItem.Organizer.Address.ToString());
                                  // Update the subject and body
                                  masterItem.Subject = masterItem.Subject + " (Updated content)";
                                  string currentBodyType = masterItem.Body.BodyType.ToString();
                                  masterItem.Body = masterItem.Body.Text + "\nUpdated Body Info:
  xxxxxxxxxxxx";
                                  // This results in an UpdateItem operation call to EWS.
                                  masterItem.Update(ConflictResolutionMode.AutoResolve);
                                  // Send updated notification to organizer of an appointment
                                  CreateAndSendEmail(masterItem.Organizer.Address.ToString(), masterItem.Subject);
                                  masterRecurEventIDs.Add(masterItem.ICalUid.ToString());
                              else
                                  Console.WriteLine("Event is already updated. No need to update again.:\r\n");
                                  Console.WriteLine("Subject: " + masterItem.Subject);
                                  Console.WriteLine("Description: " + masterItem.Body.Text);
              catch (Exception ex)
                  Console.WriteLine("Error: " + ex.Message);
  5. What could be an issue here? Initially I thought may be its a throttling policy which is stopping same user after making certain API call limits for the day, but I am still seeing this issue today.
  Any help is appreciated.
  Thanks

  Your logic doesn't sound correct here eg
  2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected]
  3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
  I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
  When your connecting to [email protected] mailbox the only user that can make changes to items within
  abccalendar is abc (or ABC's delegates). If your impersonating the Organizer of the appointment pqr that wouldn't work unless the organizer had rights to abc's calendar. If you want to make updates to a calendar
  appointment like that you should connect to the Organizers mailbox first update the original, send updates and then accept the updates.
  When you impersonate your impersonating the security context of the Mailbox your impersonating so its the same a logging on as that user in OWA or Outlook.
  Cheers
  Glen

• While doing service  in service po we get account assignment error pls help

  while doing services in service po we get error account assignment error (se181) pls help to resolve

  Hi,
  a service line can be never saved WITHOUT the account assignment details (except acc. ***. category U in in the PO item).
  In case the table ESLL will have entry but the accounting tables eskl  has got no entry or has entries with deletion flag, it would be an inconsistent situation.    
  You can set on the screen SAPLMLSK 0200 the deletion flag (ESKL-LOEKZ) for your service account assignment, but without entering a new account assignment information the system would not allow you to leave this screen. When you set the deletion flag for service line in the account assignment detail screen, you must enter right afterwards a new account assignment information in order to leave the screen without the error message 06 408.
  Regards,
  Edit

• How To Overcome When User Incorrectly Opened The First Inventory Accounting Period As Next Month

  Hi,
  User has opened the wrong first inventory account period. Instead of Aug-14, next period Sep-14 has been opened. There are transactions which need to be posted in Aug-14. How can I rectify this?
  During my search in oracle support, I found below information but the note is not accessible.
  "Internal Note 400900.1 How To Overcome When User Incorrectly Opened The First Inventory Accounting Period As Next Month"
  Regards,
  Ahmed

  Hi ,
  Try This Way...
     If you want to use the uesr exit in two places...
        If area = xyz
         variable1
       else
           variable2.
  same function module you can use in different places...
  If still not clear send me the full details where you want to use then i can send it to you with sample code.
  Thanks..
  Siri N