Best Practices to Change App Pool Account for SharePoint Web Application

Updating SharePoint Web Application Pool is one of the most common actions for SharePoint administration. I have repeatedly seen many SharePoint administrators and my fellow colleagues updating their SharePoint web application pool in the IIS and later realizing that their SharePoint content application is inaccessible and throws “Cannot connect to the configuration database” error.

The real reason behind this is when you create web application either through PowerShell or central admin, SharePoint configures application pool information at many different locations including machine level permissions, IIS, and database permissions. If you ever want to manually change the application pool, you must be aware of what really happens under the hood and visit all the different locations to change application pool manually. As you may think, manually changing all these machine level settings is tedious, error-prone, and requires better option. Luckily Microsoft has provided better option as manage service accounts page on the central administration site. It is best practice to change content web application pool or even service web application pool from the central administration to ensure SharePoint Content Web application runs smoothly.

You can use following step by step guide to change application pool for the given SharePoint web application. Additionally, it would walk you through what really happens under the hood and where SharePoint makes necessary changes to ensure Application Pool is configured properly.

Pre-requisites

  • New AppPool account must be Domain User Account (e.g. Niks\SPAppPool)
  • New AppPool account must register as SharePoint Managed Account

Changing Application Pool from the Central Administration

Visit Manage Service Accounts page on the central administration to change the application pool.

Run the IISReset after updating application pool to ensure all the configuration settings has been updated to access SharePoint Web Application correctly.

What really happens under the hood?

After you change the application pool through central administration, SharePoint automates various configuration settings changes at the machine level, IIS, and SQL Server.

  • SharePoint Web Application App Pool in IIS

  

  • Machine-level Permissions
    • New AppPool account added as Member in the WSS_WPG, AD Group
    • New AppPool account added as Member in the built-in IIS_IUSRS, AD Group

               

  • SQL Server and database permissions
    • SharePoint will create new SQL Server Login for AppPool Account in the Database if it doesn’t exists
    • New AppPool account is assigned to the db_owner role for the Web application content databases.

    • New AppPool account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.

    • New AppPool account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

    • New AppPool account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the StateService database.

    • New AppPool account will be assigned to the db_owner role for the associated user profile service application databases (e.g. Profile DB, Social DB, and Sync DB)

There you go. Regardless of what you do and where you manually change application pool account info, you still have to change application pool through manage security accounts screen. So, why not just change only at 1 place on manage security accounts screen and let SharePoint does it’s magic to update all the required places. Hopefully this will help. !!!!!

About these ads
This entry was posted in SP2010 Admin General. Bookmark the permalink.