Changing SharePoint farm passwords

Another recent case from the customer. What they had is a farm which was deployed with autospinstaller. https://autospinstaller.codeplex.com/ So they have quite a number of accounts for various SharePoint services , windows services and application pools.   So how should we change the accounts? The easiest way (that was implemented at the customer) is to have account to be registered as managed accounts. This way you or SharePoint can automatically change passwords for the accounts, and update all relevant records. The managed account can change the passwords in AD or just update the SharePoint records. In our case there were some errors we have not resolved, so we have let the AD admins change the password and then we have changed the things in SharePoint.   So what happens after you change the AD account password? If you do nothing, there will be problems. Most likely though you will only notice the problems after you restart the server.   The reason is that there are Windows Service registrations on farm computers containing copies of the passwords IIS Pools registrations containing copies of the passwords In some cases (like search or workflow) other entities contain the reference to the password. Managed accounts The benefit of managed account is that SharePoint can automate some of these actions across the farm. Namely – changing the windows service registrations and iis pools registrations. If you choose to change the passwords (and not let them be changed automatically), there are basically 2 ways to do it. Option one – Central Admin   Press the edit button Enter new password and press ok below   Note that option one – Set account password to a new value will try to change the password in AD first. Option two will just update the relevant services and IIS pools. In some cases you would prefer to use PowerShell. If the account you are changing is also used to run the Central Administration application pool, then your command will kinda fail in the middle cause it will run under the pool that is going to be reset! In this case you can use the Set-SPManagedAccount command https://technet.microsoft.com/en-us/library/ff607617(v=office.16).aspx If you want this command to change the AD password use this format Set-SPManagedAccount -Identity $username -NewPassword $newpassword -ConfirmPassword $newpassword If you want to use an existing password – use this one. Set-SPManagedAccount -Identity $username -ExistingPassword $newpassword  -UseExistingPassword:$true I have made a script that reads accounts and new passwords from the csv files and updates them in a bulk. <# .SYNOPSIS Changes managed account passwords at the farm. .DESCRIPTION Changes accounts using the provided CSV file. .EXAMPLE .\changepasswords.ps1    -inputFile “yourfile.csv” -newPasswords:$false .NOTES Author: Marat Bakirov Date: 05 July 2016 #> [cmdletbinding()] param( [string] $InputFile = “accountsandpasswords.csv”, [switch] $newPasswords = $true ) #################################################### # Configurables #################################################### Add-PSSnapin Microsoft.Sharepoint.Powershell #################################################### # Main #################################################### function Main { $passwords = Import-Csv $InputFile $passwords | foreach { $username = $_.Username $newpwd1 = $_.NewPassword $newpassword =  ConvertTo-SecureString -String $newpwd1 -AsPlainText -Force $newpwd1 if ($newpasswords) { Write-Host “changing password for  {$username} to a new one” Set-SPManagedAccount -Identity $username -NewPassword $newpassword -ConfirmPassword $newpassword -Confirm:$false } else { Write-Host “changing password for  {$username} to an existing one” Set-SPManagedAccount -Identity $username -ExistingPassword $newpassword -Confirm:$false -UseExistingPassword:$true } } } Main How to change other passwords If the account participates in the user profile sync, search or workflow farm, you  might need to run additional scripts. User profile sync These accounts are managed and are changed within SharePoint but are also used for the User Profile Sync. So an additional configuration might be required. Good reference can be found here https://blog.zubairalexander.com/managing-passwords-for-service-accounts-in-sharepoint-sql-server/ – section 5 5. User Profile Synchronization Connection Account or https://blogs.msdn.microsoft.com/charliechirapuntu/2013/01/16/sharepoint-2010-service-accounts-passwords-change-guide/   Search crawler account This has an additional impact – the search content account has to be updated in the active directory first and then updated in the search center. https://technet.microsoft.com/en-au/library/dn178512.aspx   Workflow and service bus farm accounts     On each server in the farm that has workflow installed run the Service Bus PowerShell in the elevated mode. (Note: if the service buspower shell is missing, then skip the procedure for this server). Run the changewfpassword.ps1 script. The script will prompt for the new Password for the svcInsiteWfProd/ svcInsiteWfTest  account.   Write-Host “Please enter a new password” $passwordText = Read-Host $AccountPassword = ConvertTo-SecureString -String $passwordText -AsPlainText -Force Stop-WFHost -Verbose Update-WFHost -RunAsPassword $AccountPassword –Verbose Start-WFHost -Verbose Stop-SBHost -Verbose Update-SBHost -RunAsPassword $AccountPassword –Verbose Start-SBHost -Verbose   Source code The scripts could be found here   https://1drv.ms/f/s!AguWtH15ywzQhI5kUYLXI1Jcmv4Y6Q