Friday, June 7, 2013

Remove-SPManagedAccount is not working or you can't remove Managed Accounts from GUI

The Problem

I had to change the farm administrator because the IT decided not to use a single account as local admin anymore.

So I changed the farm account with powershell and adapted all the services. The only think was that I had forgot to delete the account from the managed accounts list.

Weeks passed and I stumbled over the account in the managed accounts list. When I tried to open the link "Security" -> "Configure managed accounts" I got an exception.

The error was obvious. The account which was deleted from the AD could not be resolved.


1.Try

I created the user again in the AD. After that the error in UI disappeared but when I tried to deleted the managed account from the list, I got following error.



2. Try

It seemed that there some services still reference this account.

The first thing was to check the IIS Application Pool accounts. Then I checked twice the settings in the CA "Security" -> "Configure Service Accounts" section.

The second thing was to delete the user from the sitecollection. Check if the user is still Site Collection Admin of the Central Administration site, check all Web Service Policies and delete the user from the site collection:

  • http://<cadmin:port>/_layouts/people.aspx?MembershipGroupId=0

After that I tried to delete the account again with no success.

You can check the pools with PowerShell easily by typing: Get-SPServiceApplicationPool

3.Try

The solution was in this post http://techilatalk.com/remove-spmanagedaccount-not-working/.

Steps to do.

  1. Find the id of the managed account
    1. Open "SharePoint Management Shell"
    2. Typ: Get-SPManagedAccount | FT UserName
    3. You'll see a list of managed accounts. Remember the login name.
      $acc = Get-SPManagedAccount -identity "domain\login"
    4. Type $acc.Id and copy the ID.
  2. Open SQL Server Management Studio. You can open this tool from every server which has access to the database. Only open it with Shift + Right Click & "Run as different user". Enter the logins from farm admin.

    1. Click "New Query"
    2. Enter following query whereas the ObjectId is the id of the managed account. The name of my config database is "ST_ConfigDb". Your config DB has surely an other name.


    3. We now see that the account has two dependencies. Now check the dependencies. The dependencies table refer objects from table objects.


    4. Now I see that the account refers to 2 pools with the name ST_Apps and SP01_MySites.
      The application pool ST_Apps doesn't exist anymore and I had already checked the account for the service SP01_MySites. That's wired.
    5. Next I checked if this can be an old reference, maybe a ghost one:


    6. And yes there was a second entry. I'm sure that this is an old reference.  So I went back to the dependencies tables, executed the first query again, made a copy of the line as backup and deleted both rows
  3. Delete the managed account
    1. Open SharePoint Management Shell
    2. $acc = Get-SPManagedAccount -identity "domain\login"
    3. Remove-SPManagedAccount $acc
    4. Check with Get-SPManagedAccounts


!! This solution is not supported from Microsoft. Microsoft does not support any changed made directly to the database.

Unfortunately I could not find any other solution.


No comments: