Change Password for Service account in SharePoint

Recently had a customer ask me about how to do this so wrote this little article and thought I would share it with you.

SharePoint 2007

There will be two times when you want to reset passwords in MOSS.

  1. In a planned fashion possibly due to Domain policy requirements you change the password.
  2. When you have allowed the password to expire and need to change the password to return the farm to service.

In either case the steps are the same, this fantastic article KB934838 covers the steps in detail and even has a script that you can take and setup for your environment, so there is no reason for me to go over it except to say read the article. 

The commands that are primary to this are:

Stsadm -o updatefarmcredentials

Stsadm -o updateaccountpassword

Stsadm -o spsearch

Stsadm -o editssp

Stsadm -o osearch

And in farms that are least privilege you have some extra steps that you need to follow to insure that this would work.

SharePoint 2010

We grew the functionality in this area by several steps.  We have introduced Managed Accounts, this means that we store both username and password in the configuration database for the service accounts.  This also insures that we keep the objects in IIS and OS up to date thru syncing.

Then using this idea of a Managed Account we have setup several different methods to change the passwords and have that update the App Pools, etc.  By going to /_admin/EditAccount.aspx we see we have the following

Credential Management

This allows you to either change the password thru SharePoint to something new this can be a random password or something you choose, or to use an existing password.

This section is good to use if your password has already expired or is about to expire.


Automatic Password Change

This allows you to stop worrying about password changes altogether, and allow SharePoint to manage them for you.  I highly recommend that you test this and make sure it will work for you.  Here are some gotchas that I have noticed

  1. Service account that is shared between multiple farms, the password change does not work across farms!
  2. Service account that is used in User Profile Connection settings, this should not be a managed account as the process can't change this.
  3. You will no longer be able to login with these accounts, so make sure yours has the correct permissions
  4. This command cannot override the rules of Domain Policies ie Password Complexity, Length, Age, etc



There is of course PowerShell commands that can help you to automate these steps or if you have an issue get you out of a bind.

Set-SPManagedAccount - This PowerShell command will be the one you use the most, using this cmdlet and different switches you can cover all the situations above.  Here some examples

We want to change the password with something new use

Set-SPManagedAccount -identity Domain\User -NewPassword (Converto-Securestring "P@ssword" -AsPlainText -Force) -SetNewPassword

We need to use existing password

Set-SPManagedAccount -identity Domain\User -ExistingPassword (Convertto-Securestring "P@ssword" -AsPlainText -Force

Set SharePoint to manage password

Set-SPManagedAccount -identity Domain\User -AutogeneratePassword -EmailNotification 14 -PreExpireDays 7 -Schedule "Monthly between <dayofmonth> <Timeofdayinhh:mm:ss> and <dayofmonth> <Timeofdayinhh:mm:ss>"

Repair-SPManagedAccountDeployment - This PowerShell command is used when you have setup the automatic password change and it's worked on Server A but not Server B, by running the command locally on Server B it will re-synch all of the App Pools on that server.


Configure automatic password change (SharePoint Server 2010)

Plan automatic password change (SharePoint Foundation 2010)