When you install Exchange on your NT server, you’re supposed to log in to the server using the account with which you want Exchange to run. This is known as Exchange’s service account. Occasionally, people forget to do this, and later wish they had. In other cases, the auditors (or the MIS Director) in a company may decide to change the account that Exchange uses to run.

How do you go about changing Exchange’s service account with the minimum amount of pain? It can be done, but you should proceed very carefully since in some cases, you’ll be editing the registry to make the changes you need to. In this Daily Drill Down, I’ll show you how to change Exchange’s service account, step-by-step.

Getting ready
Before making this kind of change to Exchange, I would recommend that you first go into the Registry Editor and make a backup copy of the registry. To do this, select the Registry menu option in Regedit, and then select the Export Registry option. You’ll be asked to provide a path and a name for the exported registry file. I usually create a directory called Backup Registry, and place the exported registry file there.

Because I like to plan for the worst, I would also suggest you make sure your ERD (Emergency Repair Disk) is up-to-date by running the Rdisk command. As a precaution, you may want to have this command run automatically once each night just to ensure that the copy of the ERD stored on the server’s hard drive is up-to-date.

Next, I recommend you make sure that you have at least two good backups of your Exchange server—unless you have installed Exchange so many times that you are able to reinstall the server quickly and don’t mind the possibility of losing all your e-mail.

Creating the new service account for Exchange
To create the new service account, you must first create a user account in the User Manager For Domains. Create a user ID (I suggest using a name like EXCHSVC) with a password that is very different from others used on your network. A password that is made up of letters, numbers, and at least one punctuation character makes it harder for someone to play “guess the password” and gain access to your account.

Once you have created the user account, you’ll need to grant a few additional rights. These additional rights are:

  • Act As Part Of The Operating System
  • Log On As A Service
  • Restore Files and Directories

To do this, select the user, and then select User Rights from the Polices menu in User Manager For Domains. Select the check box for Show Advanced User rights. You’ll then be able to select the additional rights that you need to grant to this user. Select each of the additional rights that you need to grant from the drop-down list. Once each right is displayed beside the Right: label, you’ll see a list of users or groups that have been granted this right. Click the Add button and add to this list the service account that you created with User Manager For Domains.

I usually also make the Exchange service account a member of the Domain Administrators group, so that if I log in with this account on the Exchange server, I can still do other tasks. It’s also a good idea to log in with this account before changing to the new service account to ensure the login name and password combination is functional.

Activating the new service account
Using the new service account in Exchange involves more than changing the login name and password for all the Exchange services. You must start the Exchange Administrator in raw mode to make the changes necessary for the new service account to work properly. Be careful when in raw mode in Exchange Administrator. It’s just like being in Regedit—whatever changes you make here can be permanent, and if they’re not made correctly, you may end up reinstalling your Exchange server to make your e-mail system functional.

To start Exchange Administrator in raw mode, select Run from the Start menu, type c:\exchsrvr\bin\admin /r, and press [Enter]. You’ll first need to give the new service account Service Account Administrator permissions in the Organization, Site, and Configuration Container property pages. To do this, click on the Organization container (it looks like a small graphic of the globe with an envelope to the right of it), select File, and then Properties. When the Organization properties page appears, click on the Permissions tab, and then click the Add button to add the new Exchange service account to the Windows NT Accounts With Permissions list. Make sure the role display for this account reads Service Account Admin. Then, click OK to save changes.

Next, you’ll need to add Service Account Admin privileges to the new service account. Select the Site Container name (the one with the graphic of a circle with an X through it), File, and then Properties. When the Site Container properties page appears, click on the Permissions tab, and then click the Add button to add the new Exchange service account to the Windows NT Accounts With Permissions list. After you have added it to the list, make sure the new service account also shows the Service Account Admin role. Then, click OK to save changes.

At this level, you’ll also need to add Service Account Admin privileges to the new service account. Click on the container name (the one with a small graphic of a gear next to it), select File, and then Properties.

When the Site Container properties page appears, click on the Permissions tab, and then click the Add button to add the new Exchange service account to the Windows NT Accounts With Permissions list. Again, after you have added it to the list, you’ll want to make sure the new service account shows the Service Account Admin role. Then, click OK to save changes.

Making the changes in Exchange schema
You’ll now need to make a change to the Exchange schema. Since the Exchange Administrator is already started, from the View menu, select the Raw Directory option. When the screen refreshes, there will be an additional object below the Configuration container labeled Schema.

Click on the Schema object. Then, select the Raw Properties option from the File menu. The Schema Properties screen will appear. Click on the NT-Security-Descriptor object in the Object Attributes window, and then click the Editor button in the lower right-hand corner of the Schema Properties screen. When the Attribute Editor Selection window appears, select the NT security descriptor in the Editor type window, and click OK to continue.

Now, you’ll see the NT-Security-Descriptor Properties window. You should see the currently assigned service account’s Admin account listed. Click Add to bring up the Add Users And Groups screen. Highlight the username that you want to use as the new service account, click Add, and then OK. When you return to the previous screen, you should see the new account listed. Make sure that this new account is listed as the Service Account Admin (change it if necessary), and then click OK to continue.

Now, you’ll need to grant full access to the following registry keys and subkeys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    WindowsNT\CurrentVersion\ProfileList
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
  • HKEY_USERS

You’ll do this using Regedt32.exe. Start the Registry Editor, and click on the HKEY_LOCAL_MACHINE window. Navigate the Registry hive until you find ProfileList subkey under HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows NT\CurrentVersion. Then, click on the Security Menu option and then the Permissions menu choice.

When the Registry Key Permissions screen appears, select the check box for the Replace Permission On Existing Subkeys option. Click Add, highlight the new service account, make sure that it has Full Control listed in the Type Of Access field, and then click OK. When you return to the previous screen, you should see the new account listed with full access. Click OK to apply the new access to this registry key. You’ll then see a dialog box asking if you want to change the permissions. Click OK to proceed.

Repeat the above process for the HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services registry key. Since you are already in the HKEY_LOCAL_MACHINE window, work your way down through the key structure until you have the Services subkey highlighted. Once this is done, select Permissions from the Security menu.

When the Registry Key Permissions screen appears, select the check box for Replace Permission On Existing Subkeys option. Click Add, select the new service account, make sure that it has Full Control listed in the Type Of Access field, and then click OK. Once you return to the previous screen, you should see the new account listed with full access. Click OK to apply the new access to this registry key. You’ll then see a dialog box asking if you want to change the permissions. Click OK to proceed.

The last key that you need to edit is the HKEY_USERS key. This one will be a little easier since you’ll be changing an entire key. To do so, select the Window menu option, and then click on the window selection that lists HKEY_USERS. Click on HKEY_USERS, and select Permissions from the Security menu. When the Registry Key Permissions screen appears, select the check box for the Replace Permission On Existing Subkeys option. Click Add, highlight the new service account, make sure that it has Full Control listed in the Type Of Access field, and then click OK. When you return to the previous screen, you should see the new account listed with full access. Click OK to apply the new access to this registry key. You’ll then see a dialog box asking if you want to change the permissions. Click OK to proceed. Exit the Registry Editor to save the changes that you have just made to the Registry.

The last step is to change each of the Exchange services so they use the new service account. Double-click Services in Control Panel, highlight each of the Exchange services, and click on the Stop button. You should only do this, however, at a time when your users don’t need to use the mail server. When you stop the Exchange service, e-mail on your network stops until you restart the service.

For a basic Exchange server, you’ll need to modify the following services:

  • Microsoft Exchange Directory
  • Microsoft Exchange Event Service
  • Microsoft Exchange Information Store
  • Microsoft Exchange Internet Mail Service
  • Microsoft Exchange Message Transfer Agent
  • Microsoft Exchange System Attendant

Depending on any additional services and/or connections that you have installed on your Exchange server, you may have additional modifications to do. After you have stopped all the services, highlight each additional service and click on the Startup button. When the Service properties screen appears, change the login account and password and click OK to save the change.

If you receive an error that says that the account you’ve entered isn’t valid, you’ll need to use the browse button beside This Account to find the account within your Domain configuration. To return to the Service properties screen, highlight the account, and click OK. Enter the password for the new service account, and click OK to return to the Services screen. After you have changed all of the Exchange services to use the new service account, restart the services and check the Event Viewer on startup for any errors.

Finishing up
Once you have verified that everything starts up correctly, there are a few cleanup tasks that you’ll want to perform. I recommend creating an updated ERD (Emergency Repair Disk) as well as an updated registry backup using Regedit. You should also go into Exchange Administrator and either delete the old service account from the permissions tab or at least reduce the privilege level from Service Account Admin to a lower level for each of the container pages to which you added the new service account. This isn’t something that you’ll need to do very often, but at least you know the steps that will be required to change to a new service account if you ever need to do so.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.