Anyway, they got me back to make this change because it can be tricky. The biggest challenge when making wholesale changes to the service / app pool accounts is that if the farm account update fails to work properly, you then struggle to perform the rest of the changes because the security decryption keys MOSS uses to keep a track of passwords is corrupted. System error code 997" and "An unhandled exception occurred in the user interface.
Exception Information: Unable to connect to the remote server" Once in this precarious position, Microsoft’s recommended solution – for the closest example of something that comes close to the error message – is to rebuild the config database ( – but it’s not much help onsite at a client’s place… Once the Farm account is half-changed, you cannot successfully change the rest of the accounts through the UI… Joel has the information on this page – like using a sledgehammer to swat a fly, stsadm is not encumbered by a user interface or any of those nice-to-have things – it seems to be built around the premise "If it doesn’t work, force it. " 🙂 So with stsadm, I went through the following steps: At this point, an IISReset is probably a good idea (a reboot is an even better idea) – once this is done, attempt to access each affected area of the farm and verify that they are all now functioning correctly.
On the one hand, there are useful Knowledge Base (KB) articles, such as "How to Change Service Accounts and Service Account Passwords in Share Point Server 2007 and in Windows Share Point Services 3.0." And on the other hand, there are disasters, such as "Error Message When You Try to Use the Share Point Products and Technologies Wizard: 'Exception: System.
Argument Exception: Error during Encryption or Decryption.'" The above article states that you must create a new configuration database if the account credentials of a Web app can't be decrypted anymore.
To change any other Web application pool account except the one that is used by Central Administration, use the Updateaccountpassword operation.
The job is complete when it no longer appears in the list of definitions (refresh the browser, this isn't automatic).If you later change the password for that user, you must update several screens with the new password.Until you complete all steps, the crawl does not run, and the event log shows an "Access Denied" error.The tools are difficult to use, the underlying processes are complex, good documentation is hard to find, and there is a certain risk of corrupting the server farm even when following all of the proper procedures.Adding to the mix is problematic technical advice by Microsoft Product Support Services (PSS).