Exchange 5.5 > How to Change the Exchange Service Account

1. How to Change the Exchange Service Account
   First, Q214492 stated: "If for any reason you need to change the Exchange Service account, please call Microsoft Exchange Server Support for assistance." This is good advice. We cannot add enough disclaimers here. In short, botch it and you will be sad.

   Second, THIS ONLY WORKS ON A SINGLE SERVER.

   Third - Here's the process:

   1. This is fairly major surgery. As such, you are strongly advised to take a full online backup of the Exchange Directory and Information Store, AND a full offline backup of the entire system, AND create a new Emergency Repair Disk.
   2. Create a new service account and assign the following rights:
      Act as part of the Operating System
      Log On As a Service
      Backup Files and Directories permissions.

      For now, set the password the same as the existing service account (if possible).

   3. Start the Administrator program in raw mode (admin.exe /r).
   4. Add the new account to the permissions on the Organization, Site, and Configuration containers as a Service Account Admin.
   5. Add the new account to the Schema object with the following steps:
      1. On the View menu, click Raw Directory.
      2. Click the Schema object on left pane under the Site Object.
      3. On the File menu, click Raw Properties.
      4. Double-click the NT Security Descriptor attribute.
      5. Double-click NT Security Descriptor (no, this is not a repeat of the last step).
      6. Add the new service account. Make sure the role is Service Account Admin.
      7. Click OK, click Set, and then click OK again.
   6. If the new account is not a member of the Local Admin group, give it Full Control on the following registry keys and subkeys:
      [Note: Editing the registry is delicate work. If you botch it you will be sad.]
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
      HKEY_USERS

      Do this in Regedt32.exe by selecting each key and:

      1. Click SECURITY\Permissons.
      2. Click on the Replace Permission on Existing Subkeys box.
      3. Click the Add button.
      4. Select the account in the Add Users and Groups window.
   7. Under the X:\exchsrvr directory, there are five shared directories (Add-ins, Address, Connect, Res and tracking.log). The *default* permissions on these directories are:
      Administrator: Full Control
      Everyone: Read
      <service account>: Full Control

      You must change the permissions on these shares (and possibly the directories) to reflect the new service account. If the computer running Microsoft Exchange Server is on an NTFS partition (and there should be no reason it is not!), you must give Full Control permissions to the new service account on all the Exchange directories (\exchsrvr directory on each drive - including subdirectories).

   8. Stop the Microsoft Exchange Services.
   9. Open the Services Control Panel and change the service account on all the Microsoft Exchange Server services. a. Start the Services applet in the Control Panel. b. Select each Microsoft Exchange service, click the Startup Button, and change the account and password.
   10. Restart all Microsoft Exchange services. All services should start with the new Microsoft Exchange Server Service Account.
   11. At this point, if Exchange is still running, repeat step 3, but delete the old account.
   12. If you want to change the password, you can do it from the Microsoft Exchange Administrator program in the Configuration property page. The password also must be changed in Windows NT by using the User Manager for Domains.
   13. Then stop & restart all exchange services to be sure you got the passwords right.

       Servers in a single site may be changed in a more complex process:

       1. Shut down all the servers in the site.
       2. Bring one server up and follow the procedure above.
       3. Shut the server back down.
       4. Repeat 2-3 until all servers have been modified.
       5. Bring all the servers back up.

   Related articles:

   • XADM: How To Change the Service Account CREATED: 24-JUN-1996 MODIFIED: 13-APR-1998
   • Q157780 describes the procedure to change the password.
   • Q155269 points to the Exchange Administrators FAQ. There was a section 1.7 that has been removed which used to give the procedure.
   • Q163686 covers a deleted service account which is arguably a different situation.
   • Q214492 stated: "When Microsoft Exchange Server is installed, the Exchange Setup program asks for a user account to be used as the Service account. This account is then given special permissions in Windows NT as well as inside Exchange Server. Because of the dependency that Exchange Server has on the Service account and the way the Service account interacts with the numerous components in Exchange Server, it is not recommended that you change the Exchange Server Service account for any reason after the Exchange Server Setup has been completed. If for any reason you need to change the Exchange Service account, please call Microsoft Exchange Server Support for assistance."
   • "How to Change the Exchange Server 5.5 Service Account" White Paper.