User accounts are essential for the correct functioning of the provisioning process. If the passwords on these accounts expire, the service provider will be unable to provision users. To prevent these accounts from expiring and thereby preventing the provisioning service from working correctly, set the passwords on these service accounts to never expire.

Also, changing passwords periodically is an essential part of securely operating a service provisioning system.

Service Account Locations

The following table contains a listing of service accounts and the locations where you can change the passwords for these accounts. Be aware that services and components run under the security context of these accounts. When you change the passwords on any of these accounts, you must also update the security configuration of the services and components, which log on using these accounts.

Table: Password Change Locations of User Accounts

Account name Location (or locations) for password change

MPFClientAcct

Active Directory Users and Computers on a Domain Controller.

MPFServiceAcct

Active Directory Users and Computers on a Domain Controller. Local Services on the server running the Microsoft Provisioning Framework (MPF) - Provisioning Auditing and Recovery Service. Set password in the Log On dialog box on the service.
Local Services on the server running the MPF - Provisioning Queue Manager Service. Set password in the Log On dialog box on the service. Component Services on the server running the MPF - Provisioning Engine. Set password in the Identity in the Provisioning Engine properties dialog box on the service.

MPSPrivAcct-xxxxxx

Active Directory Users and Computers on a Domain Controller. Microsoft Provisioning Credentials in Provisioning Manager on the server running the MPF - Set Password on the MPSPrivAcct-xxxxxx Account.

MPSPlansAcct

Active Directory Users and Computers on a Domain Controller. Microsoft Provisioning Credentials in Provisioning Manager on the server running the MPF - Set Password on the MPSPlansAcct. Account

For more information about the advanced security features of MPS, see Microsoft Provisioning System Security.

Automate Password Change on MPS Accounts

The MPS Deployment Tool provides the option of specifying a password change for distribution to all the appropriate accounts. You can use this feature of the tool to automate the process of changing the account passwords listed in Table: Password Change Locations of User Accounts. When you are ready to change the password, perform the following procedure.

Procedure SPV.5: To automate password changes on Microsoft Provisioning System (MPS) accounts

  1. Run the MPS Deployment Tool by double-clicking the DeploymentTool.exe icon on the desktop or in the following directory path on the computer where you installed the tool: systemdrive: \Program Files\Microsoft Provisioning\DeploymentTool\.

  2. When the MPS Deployment Tool interface appears, in the Requirements Status pane, right-click the MPF Service Account component.

  3. On the contextual menu that appears, select the Reset Password command.

  4. In the Requirements Status pane, right-click the Plans Database Account component.

  5. On the contextual menu that appears, select the Reset Password command.

    The tool automatically generates and sets a random password for the MPFPlansAcct, the MPFServiceAcct and all the other MPS accounts specified in Table: Password Change Locations of User Accounts. In addition, the Verified icon (a green check mark) appears left of the MPF Service Account component in the Requirements Status pane.