Update SharePoint Managed Account Password on all Farm Layers: IIS, Windows Services and SharePoint Services
This is a Emergency Powershell Script that change any SharePoint Managed Account User Password if this Managed Account used on SharePoint Services and SharePoint Application Pools and (for some reason) it was not possible to synchronize user changes from Active Directory, like a password expiration and cannot be able to troubleshooting with another layers like Active Directory or Network Infrastructure. Bellow follow the needed sequence to be sucessful with this scripts; this scripts sequence was tested on several large and/or complex Sharepoint OnPremises Farms at 2010, 2013, 2016 versions, without any impact and with 100% of success in all cases.
i) This scripts execution effect is only on the local machine execution, this not propagate to all Farm Servers;
ii) To execute all of these scripts, the current user needs this privilegies bellow:
ii.a)Belongs to Farm Administrator Group;
ii.b)local machine Administrator (on any SharePoint Farm server);
ii.c)SQL Server SecurityAdmin profile (on SharePoint database instance);
ii.d)db_owner on databases "SharePoint_Config" and "SharePoint_Admin_<any guid>";
iii) Before start script sequence, delegate bypassing using this PowerShell instruction (Set-ExecutionPolicy at Microsoft Docs):
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted -Force
1) Gets the library for administration of Web Services / Servers (WebAdministration at Microsoft Docs):
Import-Module WebAdministration
2) Gets the user account in the format 'DOMAIN\user' (Read-Host, Example 1):
$serviceAccount = Read-Host -Prompt "Please enter the user (in DOMAIN\username format)."
3) Gets the user password in Secure String (Read-Host, Example 2):
$securePass = Read-Host "What's this user's password? This field will be encrypted:" -AsSecureString
4) Transforms the password into clean text (System.Runtime.InteropServices.marshal, by Andrew Watt):
$plainTextPass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass))
5) Gets all Application Pools associated with the user (Start-WebAppPool at Microsoft Docs):
$applicationPools = Get-ChildItem IIS:\AppPools | where { $_.processModel.userName -eq $serviceAccount }
6) Iterates on all Application Pools that the service user has with the new password (PowerShell Snap-in: Making Configuration Changes to Websites and App Pools at Microsoft Docs):
foreach($pool in $applicationPools)
{
$pool.processModel.userName = $serviceAccount
$pool.processModel.password = $plainTextPass
$pool.processModel.identityType = 3
$pool | Set-Item
}
7) Gets Hostname 'in loco' (Get computer name at Microsoft DevBlogs):
$serverName = $env:computername
8) Gets all services associated with the identified service user (Get-WmiObject at Microsoft Docs):
$shpServices = gwmi win32_service -computer $serverName | where {$_.StartName -eq $serviceAccount}
9) Runs the change of all Services that the service user has with the new password (Change method of the Win21_service class at Microsoft Docs)
foreach($service in $shpServices)
{
$service.change($null,$null,$null,$null,$null,$null,$null,$plainTextPass)
}
10) Includes in the scope of the program the library responsible for adding SharePoint objects (Add Microsoft.SharePoint.PowerShell Snap-In to All PowerShell Windows at Microsoft Blog):
Add-PSSnapin Microsoft.SharePoint.PowerShell
11) Gets the managed service user account in SharePoint (Get-SPManagedAccount at Microsoft Docs):
$managedAccount = Get-SPManagedAccount | where {$_.UserName -eq $serviceAccount}
12) Change user password in SharePoint (Set-SPManagedAccount):
Set-SPManagedAccount -Identity $managedAccount -ExistingPassword $securePass –UseExistingPassword:$True -Confirm:$False
if((Get-SPFarm).DefaultServiceAccount.Name -eq $serviceAccount)
{
stsadm.exe –o updatefarmcredentials –userlogin $serviceAccount –password $plainTextPass
}
iisreset /noforce