Change Password for Service account in SharePoint
Recently had a customer ask me about how to do this so wrote this little article and thought I would share it with you.
There will be two times when you want to reset passwords in MOSS.
- In a planned fashion possibly due to Domain policy requirements you change the password.
- When you have allowed the password to expire and need to change the password to return the farm to service.
In either case the steps are the same, this fantastic article KB934838 covers the steps in detail and even has a script that you can take and setup for your environment, so there is no reason for me to go over it except to say read the article.
The commands that are primary to this are:
And in farms that are least privilege you have some extra steps that you need to follow to insure that this would work.
We grew the functionality in this area by several steps. We have introduced Managed Accounts, this means that we store both username and password in the configuration database for the service accounts. This also insures that we keep the objects in IIS and OS up to date thru syncing.
Then using this idea of a Managed Account we have setup several different methods to change the passwords and have that update the App Pools, etc. By going to /_admin/EditAccount.aspx we see we have the following
This allows you to either change the password thru SharePoint to something new this can be a random password or something you choose, or to use an existing password.
This section is good to use if your password has already expired or is about to expire.
Automatic Password Change
This allows you to stop worrying about password changes altogether, and allow SharePoint to manage them for you. I highly recommend that you test this and make sure it will work for you. Here are some gotchas that I have noticed
- Service account that is shared between multiple farms, the password change does not work across farms!
- Service account that is used in User Profile Connection settings, this should not be a managed account as the process can't change this.
- You will no longer be able to login with these accounts, so make sure yours has the correct permissions
- This command cannot override the rules of Domain Policies ie Password Complexity, Length, Age, etc
There is of course PowerShell commands that can help you to automate these steps or if you have an issue get you out of a bind.
Set-SPManagedAccount - This PowerShell command will be the one you use the most, using this cmdlet and different switches you can cover all the situations above. Here some examples
We want to change the password with something new use
Set-SPManagedAccount -identity Domain\User -NewPassword (Converto-Securestring "P@ssword" -AsPlainText -Force) -SetNewPassword
We need to use existing password
Set-SPManagedAccount -identity Domain\User -ExistingPassword (Convertto-Securestring "P@ssword" -AsPlainText -Force
Set SharePoint to manage password
Set-SPManagedAccount -identity Domain\User -AutogeneratePassword -EmailNotification 14 -PreExpireDays 7 -Schedule "Monthly between <dayofmonth> <Timeofdayinhh:mm:ss> and <dayofmonth> <Timeofdayinhh:mm:ss>"
Repair-SPManagedAccountDeployment - This PowerShell command is used when you have setup the automatic password change and it's worked on Server A but not Server B, by running the command locally on Server B it will re-synch all of the App Pools on that server.
Configure automatic password change (SharePoint Server 2010)
Plan automatic password change (SharePoint Foundation 2010)