Changing the Application Pool Identity via STSADM

This past week I presented at the local Colorado Springs SharePoint User Group meeting on using and customizing STSADM. The talk was really less about STSADM and more about SharePoint administration tips, tricks, and best practices – but we did create a new STSADM command from scratch during the meeting. I’ve taken what we did during the meeting and reworked it to add proper validation and help documentation and have included it in my download as gl-updateapppoolaccount.

The purpose of the command is to change out the identity of the application pool associated with a specific web site. I thought this might be a good one to demo creating because I noticed that there was no existing command to do this (there’s a command to change the password, but not change the account) and I recently ran into a situation where it would be beneficial. As a consultant I often come into environments where the clients MOSS implementation may not have been deployed in the most ideal way. My current client had all three of their MOSS environments (production, test, and development) using the same service accounts. I wanted to be able to work with IT to set each environment to run under their own accounts but I typically prefer to give IT a script that they can run so that they don’t have to try and figure out how to do this via Central Admin (in this case the IT staff was not yet trained on SharePoint and timelines didn’t allow me to wait for them to be trained). By using a script I could let the IT staff create the new accounts and update SharePoint without having to have them tell me what the passwords were.

The code to update the accounts is really quite simple – all we do is get an SPApplicationPool object via the ApplicationPool property of an SPWebApplication object. We then update the Username and Password properties and then call Update and finally Deploy (which is a member of the SPProcessIdentity class of which the SPApplicationPool class inherits from. Update saves the changes to the configuration database and Deploy will push those changes to each of your web servers.

 1/// <summary>
 2/// Updates the account.
 3/// </summary>
 4/// <param name="url">The URL.</param>
 5/// <param name="type">The type.</param>
 6/// <param name="login">The login.</param>
 7/// <param name="password">The password.</param>
 8public static void UpdateAccount(string url, IdentityType type, string login, string password)
 9{
10    if (type == IdentityType.LocalSystem)
11        throw new ArgumentException("Identity type of LocalSystem is not allowed.");
12 
13    SPWebApplication webApp = SPWebApplication.Lookup(new Uri(url));
14    SPApplicationPool pool = webApp.ApplicationPool;
15    pool.CurrentIdentityType = type;
16 
17    if (type == IdentityType.SpecificUser)
18    {
19        pool.Username = login.Trim();
20        pool.Password = password;
21    }
22 
23    pool.Update();
24    pool.Deploy();
25}

The help for the command is shown below:

C:\>stsadm -help gl-updateapppoolaccount

stsadm -o gl-updateapppoolaccount


Updates the user account information for the application pool associated with the given URL.

Parameters:
        -url <web application url>
        [-userlogin <DOMAIN\user>]
        [-password <password>]
        [-type <localservice | networkservice | specificuser> (defaults to specificuser)]

The following table summarizes the command and its various parameters:

The following is an example of how to set the user account for the portal web application:

stsadm -o gl-updateapppoolaccount -url http://portal -userlogin spdev\spportalapppool -password pa$$w0rd