Skip to content

This is a Powershell Script that change any SharePoint Farm Managed Account User Password if, for some reason, it was not possible to synchronize user changes from Active Directory, like a password expiration.

License

Notifications You must be signed in to change notification settings

antonio-leonardo/UpdateSharePointManagedAccountPassword

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 

Repository files navigation

Update SharePoint Managed Account Password on all Farm Layers: IIS, Windows Services and SharePoint Services

This is a Emergency Powershell Script that change any SharePoint Managed Account User Password if this Managed Account used on SharePoint Services and SharePoint Application Pools and (for some reason) it was not possible to synchronize user changes from Active Directory, like a password expiration and cannot be able to troubleshooting with another layers like Active Directory or Network Infrastructure. Bellow follow the needed sequence to be sucessful with this scripts; this scripts sequence was tested on several large and/or complex Sharepoint OnPremises Farms at 2010, 2013, 2016 versions, without any impact and with 100% of success in all cases.

Comments:

i) This scripts execution effect is only on the local machine execution, this not propagate to all Farm Servers;

Premises:

ii) To execute all of these scripts, the current user needs this privilegies bellow:

ii.a)Belongs to Farm Administrator Group;

ii.b)local machine Administrator (on any SharePoint Farm server);

ii.c)SQL Server SecurityAdmin profile (on SharePoint database instance);

ii.d)db_owner on databases "SharePoint_Config" and "SharePoint_Admin_<any guid>";

iii) Before start script sequence, delegate bypassing using this PowerShell instruction (Set-ExecutionPolicy at Microsoft Docs):

Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted -Force

1) Gets the library for administration of Web Services / Servers (WebAdministration at Microsoft Docs):

Import-Module WebAdministration

2) Gets the user account in the format 'DOMAIN\user' (Read-Host, Example 1):

$serviceAccount = Read-Host -Prompt "Please enter the user (in DOMAIN\username format)."

3) Gets the user password in Secure String (Read-Host, Example 2):

$securePass = Read-Host "What's this user's password? This field will be encrypted:" -AsSecureString

4) Transforms the password into clean text (System.Runtime.InteropServices.marshal, by Andrew Watt):

$plainTextPass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass))

5) Gets all Application Pools associated with the user (Start-WebAppPool at Microsoft Docs):

$applicationPools = Get-ChildItem IIS:\AppPools | where { $_.processModel.userName -eq $serviceAccount }

6) Iterates on all Application Pools that the service user has with the new password (PowerShell Snap-in: Making Configuration Changes to Websites and App Pools at Microsoft Docs):

foreach($pool in $applicationPools)
{
    $pool.processModel.userName = $serviceAccount
    $pool.processModel.password = $plainTextPass
    $pool.processModel.identityType = 3
    $pool | Set-Item
}

7) Gets Hostname 'in loco' (Get computer name at Microsoft DevBlogs):

$serverName = $env:computername

8) Gets all services associated with the identified service user (Get-WmiObject at Microsoft Docs):

$shpServices = gwmi win32_service -computer $serverName | where {$_.StartName -eq $serviceAccount}

9) Runs the change of all Services that the service user has with the new password (Change method of the Win21_service class at Microsoft Docs)

foreach($service in $shpServices)
{
    $service.change($null,$null,$null,$null,$null,$null,$null,$plainTextPass)
}

10) Includes in the scope of the program the library responsible for adding SharePoint objects (Add Microsoft.SharePoint.PowerShell Snap-In to All PowerShell Windows at Microsoft Blog):

Add-PSSnapin Microsoft.SharePoint.PowerShell

11) Gets the managed service user account in SharePoint (Get-SPManagedAccount at Microsoft Docs):

$managedAccount = Get-SPManagedAccount | where {$_.UserName -eq $serviceAccount}

12) Change user password in SharePoint (Set-SPManagedAccount):

Set-SPManagedAccount -Identity $managedAccount -ExistingPassword $securePass –UseExistingPassword:$True -Confirm:$False 

if((Get-SPFarm).DefaultServiceAccount.Name -eq $serviceAccount)
{
    stsadm.exe –o updatefarmcredentials –userlogin $serviceAccount –password $plainTextPass
}

13) Restart IIS with no forcible:

iisreset /noforce

Download

at my GitHub Gist


License

View MIT license

About

This is a Powershell Script that change any SharePoint Farm Managed Account User Password if, for some reason, it was not possible to synchronize user changes from Active Directory, like a password expiration.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published