Accounts used by application pools or service identities are in the local machine Administrators group in SharePoint Health Analyzer.

In SharePoint 2013 Central Administration, I observed that the Health Analyzer has raised the following security warning
Health Analyzer Warning

“Accounts used by application pools or service identities are in the local machine Administrators group”

Accounts used by application pools or service identities are in the local machine Administrators group

Cause :

You should be aware of the user account that runs the application pools or services:

  • Must be a domain user account.
  • Must not be a member of the Local Administrators Group on the local machine.
  • Shouldn’t be a member of Farm Administrators Group.

Although the issue description inform the Accounts used by application pools or service are in local administrator group and it didn’t mention the Farm Administrator Group. but based on Microsoft advise it’s recommended to remove the account from Farm Administrator Group because of using highly privileged accounts for application pools or services poses a security risk to the farm, and could allow malicious code to execute.

Therefore, to avoid raising Accounts used by application pools or service are in local administrator group  in Health analyzer list, you must remove these accounts from Local Administrator Group and Farm Administrator Group.

Note: Adding the Farm Account to Local Administrator Group is required only to start the User Profile Synchronization Service.

Once the User Profile Synchronization Service is started, you should remove the Farm Account from the Local Administrators group to avoid raising this security warning in Health Analyzer.

Solution :

You have two options to avoid raising this warning in Health Analyzer,

  1. Removing the current service account of the application pool/service from the local administrator group and farm administrators group.OR
  2. Changing the current service account of the application pool/service to a domain user account that is not a member of the local administrator group.

Note: 

It’s not recommanded to change the service account of SPSearchHostController windows service, it needs to run as the farm admin in order to start Search Service.

For the other services, It’s recommended to use one service account for all Service Applications. There’s no reason to use multiple service accounts that will just consume memory and slow down startup time.

Solution (1)

  • In Health Analyzer, Click on the issue item to check its details.

Accounts used by application pools or service identities are in the local machine Administrators group

  • In Explanation Section, Check the list of application pool or service that running as accounts in the machine administrator group.
    • In my case, I have the following application pools and services:
      • ProjectEventService15(Windows Service).
      • SharePoint – 80 (Application Pool).
      • SharePoint Central Administration v4 (Application Pool).
      • FIMSynchronizationService(Windows Service).
      • ProjectCalcService15(Windows Service).
      • SPTimerV4(Windows Service).
      • AppFabricCachingService(Windows Service).
      • ProjectQueueService15(Windows Service).
  • Now list the corresponding account for each service as the following:
  • Regarding Application Pools accounts:
    • Open IIS > Application Pool > Below Identity > Check the service account related to the application pool that listed in health analyzer issue.

SharePoint Application Pools

  • Regarding Windows Service accounts
    • Run services.msc to open Services on the server.services.msc
    •  Below Identity > Check the related service account to the application pool that has already listed in health analyzer issue.

App Fabric Caching Service

You can also find the the corresponding service account for each appliction pool or service by going to

  • Go to Central Administration > Security > Configure Service Accounts.

But I preferred the above method because in some cases the service name in health analyzer explanation section is diffrent than that is listed in Configure Service Accounts.

Eg : AppFabricCachingService is corresponding to  Distrubuted Cache in Configure Service Accounts.

SharePoint service accounts

  • Once you got all the corresponding service accounts, you should now remove these accounts from Local Administrador group by opening Server Manager > Tools > Computer Management.

computer-management

  • From left side > Select Local User and Groups > Click on Groups > Administrator Group.
  • Right Click on Group name > Properties > From Member tab > select the service account > Remove the account.

local-users-and-group-computer-management

If AD is installed on SharePoint Server for Testing / DEV purpose, you will need to remove the service account by following the below steps:

  • Open Active Directory Users and Computer as administrator.

AD Users and computers

  • From left side > Select Built-in > Double click on Administrators groups.

Administrator group

  • From Members Tap > Select the service account > Click Remove > OK.

remove-from-administrator-group

  • Repeat the previous steps on all SharePoint Servers that running this service.

Note :

Adding a farm account to local administrator group is required only to start the application service. After the application service is started, you can remove the farm account from the Administrators group.

Note :

After making changes to the farm account, you must restart the SharePoint Timer service or restart the server. This ensures that every SharePoint service that is currently running as the farm account is using the latest credentials.

Restart SharePoint Timer Service

In the next step, you should also delete the service account from the farm administrator group  by following the below steps:

Recall:

As per Microsoft recommendations , it’s better to remove the application pool /service account from farm administrator group because of using highly privileged accounts for application pools or services poses a security risk to the farm, and could allow malicious code to execute.

  • Open Central Administration > Security > Manage the farm administrators group

manage-the-farm-administrator-group

  • Check the service account > From Actions menu > Remove.

Note : You can’t remove the farm account from the farm administrators group.

farm-administrator-group

Solution (2)

  • Go to Central Administration > Security > Configure Service Accounts.

configure-service-account

  • On the Service Accounts page > Select the application pool or service that is already running as an account in local administrator group.

SharePoint service accounts

  • In the “Select an account list > Choose the appropriate account that is not added to local administrator group.

SharePoint Application service accounts

  • Or click on “Register new managed account“.

register-managed-account

You should be aware of the following points:

  • There are some windows services like SPTimerV4 (Windows Service) that mentioned in Health analyzer issue but it’s not listed in the list component.

Note:

SharePoint Timer Service must be running via Farm Account, so you should remove the farm account from local administrator group instead of changing its service account.

  • Also, there are some services with a different name like AppFabricCachingService (Windows Service) that corresponding to the Distributed Cache in the component list.

App Fabric Caching Service

  • Also, there are services like Distributed Cache Service that does not support changing its service account from Central Administration.

Distributed Cache Service does not support this operation from Central Administration. Please use Sharepoint Powershell commandlets

To change the distributed cache service account using cmdlet check Distributed Cache Service does not support this operation from Central Administration. Please use Sharepoint Powershell command lets.

  • Reanalyze the health analyzer issue to make sure the issue has been solved by going to the Central Administration > Monitoring > Review problems and solutions.

review-problem-and-solutions

  •  Click on the error > From the above ribbon > Select the Reanalyze Now.

reanalyze-now

  • Wait a moment, then go back to Health analyzer report list where the issue should be now not listed.

Enjoy 🙂

See also, User Profile Synchronization Service Starting then Stopped in SharePoint

Advertisements

2 thoughts on “Accounts used by application pools or service identities are in the local machine Administrators group in SharePoint Health Analyzer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s