Change the Service Account or Password for Team Foundation Server

You can help improve the security of Visual Studio Team Foundation Server by changing its service account or the password used for that account. Team Foundation Server runs services such as its Web services and the Team Foundation Background Job Agent in the context of a service account. For simplicity, the Team Foundation Server documentation refers to this account as TFSService, although that is not the actual name of the account unless you specifically create an account with that name. Team Foundation Server stores a record of the name of the actual account that is used as its service account. By changing the record, you can assign a different account to act as the service account. You can also change the password for that account. Whether you change the account, the password, or both, you stay synchronized with other components in your deployment. For example, if an Active Directory domain policy requires that all passwords expire periodically, you can update the password information for the service account in Team Foundation Server when that password changes.

Note

Team Foundation Server and its utilities cannot create a new local or domain account to use as TFSService, and they cannot update the password for that account in the workgroup or the domain. Instead, the utilities update the records to match the new credentials. If you your deployment includes more than one application-tier server, you must manually update each server with any changes to the service account or its password.

For more information about service accounts in Team Foundation Server, see Service Accounts and Dependencies in Team Foundation Server. For more information about the accounts required for installation, including the service account for Team Foundation Server, see the installation guide for Team Foundation.

Required Permissions

To perform these procedures, you must be a member of the Administrators group on the Team Foundation application-tier server and a member of the sysadmin group on the server and instance of SQL Server that hosts the configuration database for Team Foundation. For more information, see Team Foundation Server Architecture and Team Foundation Server Permissions.

If the server is running Windows Server 2008 or Windows Vista, to follow a command-line procedure, you might need to open an elevated Command Prompt window. To perform this task, click Start, right-click Command Prompt, and click Run as Administrator. For more information, see this page on the Microsoft Web site: User Account Control.

Changing the Password of the Service Account

To change the password of TFSService, you must log on to the application-tier server for Team Foundation and either use the administration console for Team Foundation, or open a Command Prompt window and use the TFSConfig command-line utility. If your deployment includes more than one application-tier server, you must perform this task on each server, or the account information will be out of synchronization.

Note

Depending on your deployment configuration, you might need to restart Internet Information Services (IIS) after you complete the procedure before the changes will take effect.

To use the administration console to change the password

  1. Open the administration console for Team Foundation on the server that hosts the application tier.

    For more information, see Open the Team Foundation Administration Console.

  2. In the console, expand the server name and click Application Tier.

  3. In the Application Tier pane, click Update Account Password.

    The Update Account Password window opens.

    Note

    If you used a system account as the service account, you will see an error message when you click Update Account Password. You do not need to change the password of that account. System accounts do not have user-managed passwords.

  4. Type the new password in Password, and then click OK.

    The Change Service Account window opens.

  5. Wait for all the status messages to complete in Status, and then click Close.

    Note

    This process might take a few minutes.

To use the TFSConfig utility to change the password

  1. On the application-tier server, open a Command Prompt window and change directories to the directory that contains the TFSConfig utility.

    By default, this utility is located in Drive:\Program Files\Microsoft Team Foundation Server 2010\Tools.

  2. At the command line, type **TFSConfig Accounts /UpdatePassword /accountType:ApplicationTier /account:**AccountName **/password:**NewPassword, and then press ENTER.

  3. You must specify both the name of the account you want to use as TFSService (AccountName) and the password of the account (NewPassword).

Assigning a Different Account as the Service Account

To configure Team Foundation Server to use a different account as the service account for Team Foundation, you can use either the administration console or the TFSConfig command-line utility. If your deployment includes more than one application-tier server, you must perform this task on each server, or the account information will be out of synchronization. Before you use either utility to make the change, consider the following issues:

  • You must choose a new account that is either a system account or a member of a workgroup or domain that is trusted by every computer in this deployment of Team Foundation Server.

  • The configuration utilities grant the Log on as a service permission to the new service account, but the utilities do not revoke this permission from the account previously used as the service account if another service still uses that account. If the old account no longer needs that permission for the service for which it is still in use, you might want to manually remove that permission from the old account.

    For more information, see this page on the Microsoft Web site: Add the Log on as a service right to an account.

  • You might need to restart IIS after you complete the procedure before the changes will take effect.

  • The TFSConfig utility changes only those services that run under the old account.

To use the administration console to change the service account

  1. Open the administration console for Team Foundation on the server that hosts the application tier.

  2. In the console, expand the server name and click Application Tier.

  3. In the Application Tier pane, click Change Account.

    The Update Service Account window opens.

  4. Perform one of the following steps:

    1. If you want to use a system account, click System Account, and then choose a system account from the drop-down list.

      If your server is a member of an Active Directory domain, the default choice for the system account to use is Network Service. If your server is a member of a workgroup, the default choice is Local Service. Depending on the details of your deployment, the default choice might be the only available choice.

      Note

      System accounts do not have user-managed passwords. If you choose to use a system account as TFSService, you should not type a password in the password field.

    2. If you want to use a domain or workgroup account, click User Account, type the name of the account in Account Name, and then type the password for that account in Password.

  5. Click OK.

    The Change Service Account window opens.

  6. Wait for all the status messages to complete in Status, and then click Close.

    Note

    This process might take a few minutes.

To use the TFSConfig utility to change the service account

  1. On the application-tier server, open a Command Prompt window and change directories to the directory that contains the TFSConfig utility.

    By default, this utility is located in Drive:\Program Files\Microsoft Team Foundation Server 2010\Tools.

  2. At the command line, type **TFSConfig Accounts /change /accountType:ApplicationTier /account:**AccountName **/password:**NewPassword, and then press ENTER.

    For more information, see Accounts Command.

See Also

Tasks

Change the Service Account or Password for SQL Server Reporting Services

Reference

Accounts Command

Concepts

Service Accounts and Dependencies in Team Foundation Server

Other Resources

Managing Server Configuration with TFSConfig

How to: Change the Password for Visual Studio Team Foundation Build Service

Change History

Date

History

Reason

March 2011

Updated information about changing the service account or its password in deployments that have more than one application-tier server.

Customer feedback.