%3CLINGO-SUB%20id%3D%22lingo-sub-571517%22%20slang%3D%22en-US%22%3EChange%20Password%20for%20Service%20account%20in%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-571517%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Nov%2029%2C%202012%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ERecently%20had%20a%20customer%20ask%20me%20about%20how%20to%20do%20this%20so%20wrote%20this%20little%20article%20and%20thought%20I%20would%20share%20it%20with%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%20SharePoint%202007%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20will%20be%20two%20times%20when%20you%20want%20to%20reset%20passwords%20in%20MOSS.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3COL%3E%0A%3COL%3E%0A%3CLI%3EIn%20a%20planned%20fashion%20possibly%20due%20to%20Domain%20policy%20requirements%20you%20change%20the%20password.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3COL%3E%0A%3CLI%3EWhen%20you%20have%20allowed%20the%26nbsp%3Bpassword%20to%20expire%20and%20need%20to%20change%20the%20password%20to%20return%20the%20farm%20to%20service.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EIn%20either%20case%20the%20steps%20are%20the%20same%2C%20this%20fantastic%20article%20%3CA%20href%3D%22http%3A%2F%2Fsupport.microsoft.com%2Fkb%2F934838%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20KB934838%20%3C%2FA%3E%20covers%20the%20steps%20in%20detail%20and%20even%20has%20a%20script%20that%20you%20can%20take%20and%20setup%20for%20your%20environment%2C%20so%20there%20is%20no%20reason%20for%20me%20to%20go%20over%20it%20except%20to%20say%20read%20the%20article.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20commands%20that%20are%20primary%20to%20this%20are%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22http%3A%2F%2Flab.technet.microsoft.com%2Fen-us%2Flibrary%2Fcc262150(v%3Doffice.12).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20Stsadm%20-o%20updatefarmcredentials%20%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22http%3A%2F%2Flab.technet.microsoft.com%2Fen-us%2Flibrary%2Fcc262549(v%3Doffice.12).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20Stsadm%20-o%20updateaccountpassword%20%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22http%3A%2F%2Flab.technet.microsoft.com%2Fen-us%2Flibrary%2Fcc288507(v%3Doffice.12).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20Stsadm%20-o%20spsearch%20%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc262727.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20Stsadm%20-o%20editssp%20%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc262920(v%3Doffice.12).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20Stsadm%20-o%20osearch%20%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20in%20farms%20that%20are%20least%20privilege%20you%20have%20some%20extra%20steps%20that%20you%20need%20to%20follow%20to%20insure%20that%20this%20would%20work.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%20SharePoint%202010%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20grew%20the%20functionality%20in%20this%20area%20by%20several%20steps.%26nbsp%3B%20We%20have%20introduced%20Managed%20Accounts%2C%20this%20means%20that%20we%20store%20both%20username%20and%20password%20in%20the%20configuration%20database%20for%20the%20service%20accounts.%26nbsp%3B%20This%20also%20insures%20that%20we%20keep%20the%20objects%20in%20IIS%20and%20OS%20up%20to%20date%20thru%20syncing.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20using%20this%20idea%20of%20a%20Managed%20Account%20we%20have%20setup%20several%20different%20methods%20to%20change%20the%20passwords%20and%20have%20that%20update%20the%20App%20Pools%2C%20etc.%26nbsp%3B%20By%20going%20to%20%2F_admin%2FEditAccount.aspx%20we%20see%20we%20have%20the%20following%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECredential%20Management%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20allows%20you%20to%20either%20change%20the%20password%20thru%20SharePoint%20to%20something%20new%20this%20can%20be%20a%20random%20password%20or%20something%20you%20choose%2C%20or%20to%20use%20an%20existing%20password.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20section%20is%20good%20to%20use%20if%20your%20password%20has%20already%20expired%20or%20is%20about%20to%20expire.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20611px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113588i150F3DF5EB2C8BDA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAutomatic%20Password%20Change%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20allows%20you%20to%20stop%20worrying%20about%20password%20changes%20altogether%2C%20and%20allow%20SharePoint%20to%20manage%20them%20for%20you.%26nbsp%3B%20I%20highly%20recommend%20that%20you%20test%20this%20and%20make%20sure%20it%20will%20work%20for%20you.%26nbsp%3B%20Here%20are%20some%20gotchas%20that%20I%20have%20noticed%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3COL%3E%0A%3COL%3E%0A%3CLI%3EService%20account%20that%20is%20shared%20between%20multiple%20farms%2C%20the%20password%20change%20does%20not%20work%20across%20farms!%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3COL%3E%0A%3CLI%3EService%20account%20that%20is%20used%26nbsp%3Bin%20User%20Profile%20Connection%20settings%2C%20this%20should%20not%20be%20a%20managed%20account%20as%20the%20process%20can't%20change%20this.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3COL%3E%0A%3CLI%3EYou%20will%20no%20longer%20be%20able%20to%20login%20with%20these%20accounts%2C%20so%20make%20sure%20yours%20has%20the%20correct%20permissions%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3COL%3E%0A%3CLI%3EThis%20command%20cannot%20override%26nbsp%3Bthe%20rules%20of%20Domain%20Policies%20ie%20Password%20Complexity%2C%20Length%2C%20Age%2C%20etc%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20699px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113589i267DDE313BCB184B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20is%20of%20course%20PowerShell%20commands%20that%20can%20help%20you%20to%20automate%20these%20steps%20or%20if%20you%20have%20an%20issue%20get%20you%20out%20of%20a%20bind.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fff607617(v%3Doffice.14).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20Set-SPManagedAccount%20%3C%2FA%3E%20-%20This%20PowerShell%20command%20will%20be%20the%20one%20you%20use%20the%20most%2C%20using%20this%20cmdlet%20and%20different%20switches%20you%20can%20cover%20all%20the%20situations%20above.%26nbsp%3B%20Here%20some%20examples%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20want%20to%20change%20the%20password%20with%20something%20new%20use%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESet-SPManagedAccount%20-identity%20Domain%5CUser%20-NewPassword%20(Converto-Securestring%20%22P%40ssword%22%20-AsPlainText%20-Force)%20-SetNewPassword%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20need%20to%20use%20existing%20password%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESet-SPManagedAccount%20-identity%20Domain%5CUser%20-ExistingPassword%20(Convertto-Securestring%20%22P%40ssword%22%20-AsPlainText%20-Force%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESet%20SharePoint%20to%20manage%20password%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESet-SPManagedAccount%20-identity%20Domain%5CUser%20-AutogeneratePassword%20-EmailNotification%2014%20-PreExpireDays%207%20-Schedule%20%22Monthly%20between%20%3CDAYOFMONTH%3E%20%3CSS%3E%20and%26nbsp%3B%3CDAYOFMONTH%3E%20%3CSS%3E%22%3C%2FSS%3E%3C%2FDAYOFMONTH%3E%3C%2FSS%3E%3C%2FDAYOFMONTH%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fff607627(v%3Doffice.14).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20Repair-SPManagedAccountDeployment%20%3C%2FA%3E%20-%20This%20PowerShell%20command%20is%20used%20when%20you%20have%20setup%20the%20automatic%20password%20change%20and%20it's%20worked%20on%20Server%20A%20but%20not%20Server%20B%2C%20by%20running%20the%20command%20locally%20on%20Server%20B%20it%20will%20re-synch%20all%20of%20the%20App%20Pools%20on%20that%20server.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%20Articles%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EConfigure%20automatic%20password%20change%20(SharePoint%20Server%202010)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fff724280(v%3Doffice.14).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fff724280(v%3Doffice.14).aspx%20%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlan%20automatic%20password%20change%20(SharePoint%20Foundation%202010)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fee428296(v%3Doffice.14).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fee428296(v%3Doffice.14).aspx%20%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-571517%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20TECHNET%20on%20Nov%2029%2C%202012%20Recently%20had%20a%20customer%20ask%20me%20about%20how%20to%20do%20this%20so%20wrote%20this%20little%20article%20and%20thought%20I%20would%20share%20it%20with%20you.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-571517%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EChrisWeaver%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

First published on TECHNET on Nov 29, 2012

Recently had a customer ask me about how to do this so wrote this little article and thought I would share it with you.

 

SharePoint 2007

 

There will be two times when you want to reset passwords in MOSS.



    1. In a planned fashion possibly due to Domain policy requirements you change the password.

 

    1. When you have allowed the password to expire and need to change the password to return the farm to service.



In either case the steps are the same, this fantastic article KB934838 covers the steps in detail and even has a script that you can take and setup for your environment, so there is no reason for me to go over it except to say read the article.

 

The commands that are primary to this are:

 

Stsadm -o updatefarmcredentials

 

Stsadm -o updateaccountpassword

 

Stsadm -o spsearch

 

Stsadm -o editssp

 

Stsadm -o osearch

 

And in farms that are least privilege you have some extra steps that you need to follow to insure that this would work.

 

SharePoint 2010

 

We grew the functionality in this area by several steps.  We have introduced Managed Accounts, this means that we store both username and password in the configuration database for the service accounts.  This also insures that we keep the objects in IIS and OS up to date thru syncing.

 

Then using this idea of a Managed Account we have setup several different methods to change the passwords and have that update the App Pools, etc.  By going to /_admin/EditAccount.aspx we see we have the following

 

Credential Management

 

This allows you to either change the password thru SharePoint to something new this can be a random password or something you choose, or to use an existing password.

 

This section is good to use if your password has already expired or is about to expire.

 

 

 

 

Automatic Password Change

 

This allows you to stop worrying about password changes altogether, and allow SharePoint to manage them for you.  I highly recommend that you test this and make sure it will work for you.  Here are some gotchas that I have noticed



    1. Service account that is shared between multiple farms, the password change does not work across farms!

 

    1. Service account that is used in User Profile Connection settings, this should not be a managed account as the process can't change this.

 

    1. You will no longer be able to login with these accounts, so make sure yours has the correct permissions

 

    1. This command cannot override the rules of Domain Policies ie Password Complexity, Length, Age, etc



 

 

 

 

 

There is of course PowerShell commands that can help you to automate these steps or if you have an issue get you out of a bind.

 

Set-SPManagedAccount - This PowerShell command will be the one you use the most, using this cmdlet and different switches you can cover all the situations above.  Here some examples

 

We want to change the password with something new use

 

Set-SPManagedAccount -identity Domain\User -NewPassword (Converto-Securestring "P@ssword" -AsPlainText -Force) -SetNewPassword

 

We need to use existing password

 

Set-SPManagedAccount -identity Domain\User -ExistingPassword (Convertto-Securestring "P@ssword" -AsPlainText -Force

 

Set SharePoint to manage password

 

Set-SPManagedAccount -identity Domain\User -AutogeneratePassword -EmailNotification 14 -PreExpireDays 7 -Schedule "Monthly between <dayofmonth> <Timeofdayinhh:mm:ss> and <dayofmonth> <Timeofdayinhh:mm:ss>"

 

Repair-SPManagedAccountDeployment - This PowerShell command is used when you have setup the automatic password change and it's worked on Server A but not Server B, by running the command locally on Server B it will re-synch all of the App Pools on that server.

 

Articles

 

Configure automatic password change (SharePoint Server 2010)

 

http://technet.microsoft.com/en-us/library/ff724280(v=office.14).aspx

 

Plan automatic password change (SharePoint Foundation 2010)

 

http://technet.microsoft.com/en-us/library/ee428296(v=office.14).aspx