PowerShell Script for Updating the Password for SharePoint On Premise Service Accounts

 Here's a useful script for updating SharePoint Service Account passwords.  

SharePoint actually has a useful ManagedAccounts system where it will automatically change the password for the account.  However, on one of my SharePoint farms, it doesn't quite work right.  

For some reason, after the automatic password change, some of the services or app pools never receive the new password.

So, I have had to change the password manually and make sure the services and app pools have the correct password.


The following script will change the service account password, and then update the app pools and services on the server it is running on.  


The service accounts are  specified in the $serviceAccounts variable.  You will need to edit the script and set those accounts to the ones on your farm.  


You will need the ActiveDirectory Module | Microsoft Docs ,the WebAdministration module, and the Microsoft.SharePoint.Powershell snap in.

NOTE: This script was written for a single WFE SharePoint farm.  

If you have more than one server in your SharePoint farm, you would need to modify this script to change the password only once, and then update the app pools and services for each web or application server in your farm.

Also, recommend testing this script in a dev environment and confirming it works first.  Next, running this script may cause an interruption of service as services must be restarted after running.   If you are in a high availability environment, schedule an authorized maintenance period to reset your service account passwords first.   

Noticed that sometimes some services or app pools may not restart successfully immediately after the password is updated, and I had to restart some of the services manually after running the script.  

Disclaimer: This script is provided free to the community as is with no warranty, guarantee, or financial responsibility from the author.  You are free to use and modify this script, as well as use the script for sample code in your own scripts.  As with any scripts, you run them at your own risk and should review the code, and if available, test the script in a development environment before running them.




#Thanks to the following web sites for sample code which helped me write this script

#Author: Will Chung, Script Created: 2020-12-10

#https://www.sharepointpals.com/post/powershell-script-to-change-password-for-app-pool-and-manage-account-in-sharepoint-onprem-server/

#https://blog.techinline.com/2018/12/20/how-to-change-windows-password-using-command-line-or-powershell/

#https://gallery.technet.microsoft.com/scriptcenter/powershell-script-to-find-6fc15ecb

#https://gallery.technet.microsoft.com/scriptcenter/79644be9-b5e1-4d9e-9cb5-eab1ad866eaf



Add-PSSnapin "Microsoft.SharePoint.PowerShell";

Import-Module WebAdministration;

Import-Module ActiveDirectory;


$serviceAccounts="DOMAIN\SP.service","DOMAIN\SP.farm";


foreach ($username in $serviceAccounts)

{


$newpassword = Read-Host ("Enter in new password for: " + $username);

$newpasswordSS = ConvertTo-SecureString $newpassword -AsPlainText -Force;



$usernameonly =$username;

if ($usernameonly.Contains("\"))

{

    $usernameOnly = $username.Substring($username.IndexOf("\")+1);

}


Write-Host "Changing the password for $($usernameOnly):";


try

{

Set-ADAccountPassword -Identity $usernameonly -Reset -NewPassword $newpasswordSS -ErrorACtion Stop;

}

catch 

{

 Write-Output ("Error changing password: " + $_);

 exit;


}





Write-Host "Updating application pools with process identity of $($username)...";

 $applicationPools = Get-ChildItem IIS:\AppPools | where { $_.processModel.userName -eq $username }

  

 foreach($pool in $applicationPools)

 {

     Write-Host ("    Updated app pool " + $pool.Name);

     $pool.processModel.userName =$username;

     $pool.processModel.password = $newpassword;

     $pool.processModel.identityType = 3

     $pool | Set-Item

 }

  

 Write-Host "Application pool passwords updated..." -ForegroundColor Magenta 

 Write-Host "" 


$serviceList = @( gwmi -Class Win32_Service  -Property Name,StartName,SystemName -ErrorAction Stop ) 


foreach ($svcD in $serviceList)

{

    if ($svcD.StartName.ToString().ToLower() -eq $username.ToString().ToLower())

    {


        Write-Output ("Found service named " + $svcD.Name + " using identity of " +$username + "...");


            $StopStatus = $svcD.StopService() 

        If ($StopStatus.ReturnValue -eq "0") # validating status - http://msdn.microsoft.com/en-us/library/aa393673(v=vs.85).aspx 

            {write-host "$ServerN -> Service Stopped Successfully"} 

        $ChangeStatus = $svcD.change($null,$null,$null,$null,$null,$null,$username,$newpassword,$null,$null,$null) 

        If ($ChangeStatus.ReturnValue -eq "0")  

            {write-host "$ServerN -> Sucessfully Changed User Name"} 


       $StartStatus = $svcD.StartService();

        If ($StartStatus.ReturnValue -eq "0")  

            {write-host "$ServerN -> Service Started Successfully"} 

        Else 

            {

            Write-Host "Failed to restart service $svcD.Name on $ServerN.  Please check the server and restart manually." -ForegroundColor Magenta

            }

    }

}

Write-Output "Updating SharePoint Managed Accounts...";


    $m = Get-SPManagedAccount -Identity $username;

    if ($m -ne $null)

    { 

        Write-Host ("Running Set-SPManagedACcount for $($username).");

        Set-SPManagedAccount -Identity $m  -ExistingPassword $newpasswordSS

        

    }

 

}


Comments

Post a Comment

Popular posts from this blog

How To use ASPNET_SetReg to store encrypted data in the registry and then decrypt the data for use in your app

1) You may find it a bit unsecure storing usernames and passwords inside your web.config.  As an alternative to doing this, Microsoft has established a standard way to store that type of info in the registry of your server instead.  Yes, you can encrypt portions of the web.config using aspnet_regiis, but it can become quite a hassle if you need to make changes to some of your appSettings keys or change the account password over a number of different applications.   ( http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx ) 2) You can use a simple command line tool called aspnet_setreg.exe to create your registry entries.     You can find the tool here:              http://support.microsoft.com/kb/329290     The tool will use CryptProtectData to encrypt the values you put in the registry. The example in the article uses the following example: Run the following command...
Read more

Nostalgia for SNL's Il Returno De Hercules

Image
Source: http://snltranscripts.jt.org/86/86nhercules.phtml Now that SNL has an official YouTube channel, I had hoped SNL would add the "Il Returno de Hercules" skit to the channel.  The skit was from from SNL Season 12 Episode 14. I was able to find the script for the skit at snltranscripts.jt.org.  And here it is for your viewing pleasure.  If SNL doesn't put this on YouTube, maybe someone can remake it and put it up. Il Returno de Hercules King Laetes.....Dana Carvey/Tom Davis (voice) Helena.....Nora Dunn/Jan Hooks (voice) Hercules.....Bill Murray Guard.....A Whitney Brown Announcer : [ over SCROLL ] "In the time known as the Heroic Age, many centuries before the birth of Christ, Greece was still a savage and uncivilized land. In these dark times, one man alone defended the helpless - the Mighty Hercules. For many years the mighty Hercules fought for the common people, until at length his rich diet and increasingly sedentary lifesty...
Read more

PowerShell Script to Clean the Windows Installer Directory

Yesterday, I had a case of the Windows folder filling up the OS drive on a server. I already have scripts to archive the event log files in c:\windows\system32\winevt, as well as c:\inetpub\logs for web servers.  So I ran those again, but found the OS drive still down to less than 5 GB in space. Using a program called WinDirStat, I discovered that the Windows Installer directory had gotten pretty big, like over 40GB in size. I began my quest to Google for a solution. I saw one article talking about using DISM to clean up the winsxs directory.  https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/clean-up-the-winsxs-folder However, that didn't clean up the c:\windows\installer directory at all.  Also, installing the Desktop Experience Feature and using the cleanmgr.exe (Disk Clean up) utility didn't clean up the Installer directory either. Many blogs pointed towards a tool called Patch Cleaner. https://www.winhelponline.com/blog/windows-inst...
Read more