Skip to content

Changing SharePoint farm passwords

July 29, 2016

Another recent case from the customer.

What they had is a farm which was deployed with autospinstaller. https://autospinstaller.codeplex.com/ So they have quite a number of accounts for various SharePoint services , windows services and application pools.

 

So how should we change the accounts?

The easiest way (that was implemented at the customer) is to have account to be registered as managed accounts.

This way you or SharePoint can automatically change passwords for the accounts, and update all relevant records.

The managed account can change the passwords in AD or just update the SharePoint records. In our case there were some errors we have not resolved, so we have let the AD admins change the password and then we have changed the things in SharePoint.

 

So what happens after you change the AD account password?

If you do nothing, there will be problems. Most likely though you will only notice the problems after you restart the server.

 

The reason is that there are

Windows Service registrations on farm computers containing copies of the passwords

IIS Pools registrations containing copies of the passwords

In some cases (like search or workflow) other entities contain the reference to the password.

Managed accounts

The benefit of managed account is that SharePoint can automate some of these actions across the farm. Namely – changing the windows service registrations and iis pools registrations.

If you choose to change the passwords (and not let them be changed automatically), there are basically 2 ways to do it.

Option one – Central Admin

two

 

Press the edit button

Enter new password and press ok below

two

 

Note that option one – Set account password to a new value will try to change the password in AD first. Option two will just update the relevant services and IIS pools.

In some cases you would prefer to use PowerShell. If the account you are changing is also used to run the Central Administration application pool, then your command will kinda fail in the middle cause it will run under the pool that is going to be reset!

In this case you can use the Set-SPManagedAccount command

https://technet.microsoft.com/en-us/library/ff607617(v=office.16).aspx

If you want this command to change the AD password use this format

Set-SPManagedAccount -Identity $username -NewPassword $newpassword -ConfirmPassword $newpassword

If you want to use an existing password – use this one.


Set-SPManagedAccount -Identity $username -ExistingPassword $newpassword  -UseExistingPassword:$true

I have made a script that reads accounts and new passwords from the csv files and updates them in a bulk.


<#
.SYNOPSIS
Changes managed account passwords at the farm.
.DESCRIPTION
Changes accounts using the provided CSV file.
.EXAMPLE
.\changepasswords.ps1    -inputFile "yourfile.csv" -newPasswords:$false
.NOTES
Author: Marat Bakirov
Date: 05 July 2016
#>
[cmdletbinding()]
param(
[string] $InputFile = "accountsandpasswords.csv",
[switch] $newPasswords = $true
)

####################################################
# Configurables
####################################################

Add-PSSnapin Microsoft.Sharepoint.Powershell

####################################################
# Main
####################################################

function Main
{

$passwords = Import-Csv $InputFile
$passwords | foreach {
$username = $_.Username
$newpwd1 = $_.NewPassword
$newpassword =  ConvertTo-SecureString -String $newpwd1 -AsPlainText -Force
$newpwd1
if ($newpasswords)
{
Write-Host "changing password for  {$username} to a new one"
Set-SPManagedAccount -Identity $username -NewPassword $newpassword -ConfirmPassword $newpassword -Confirm:$false
}
else
{
Write-Host "changing password for  {$username} to an existing one"
Set-SPManagedAccount -Identity $username -ExistingPassword $newpassword -Confirm:$false -UseExistingPassword:$true
}
}
}
Main

How to change other passwords

If the account participates in the user profile sync, search or workflow farm, you  might need to run additional scripts.

User profile sync

These accounts are managed and are changed within SharePoint but are also used for the User Profile Sync. So an additional configuration might be required.

Good reference can be found here

https://blog.zubairalexander.com/managing-passwords-for-service-accounts-in-sharepoint-sql-server/ – section 5 5. User Profile Synchronization Connection Account

or https://blogs.msdn.microsoft.com/charliechirapuntu/2013/01/16/sharepoint-2010-service-accounts-passwords-change-guide/

 

Search crawler account

This has an additional impact – the search content account has to be updated in the active directory first and then updated in the search center.

https://technet.microsoft.com/en-au/library/dn178512.aspx

 

Workflow and service bus farm accounts

 

 

On each server in the farm that has workflow installed run the Service Bus PowerShell in the elevated mode. (Note: if the service buspower shell is missing, then skip the procedure for this server).

Run the changewfpassword.ps1 script.

The script will prompt for the new Password for the svcInsiteWfProd/ svcInsiteWfTest  account.

 


Write-Host "Please enter a new password"
$passwordText = Read-Host
$AccountPassword = ConvertTo-SecureString -String $passwordText -AsPlainText -Force

Stop-WFHost -Verbose
Update-WFHost -RunAsPassword $AccountPassword –Verbose
Start-WFHost -Verbose

Stop-SBHost -Verbose
Update-SBHost -RunAsPassword $AccountPassword –Verbose
Start-SBHost -Verbose

 

Source code

The scripts could be found here

 

https://1drv.ms/f/s!AguWtH15ywzQhI5kUYLXI1Jcmv4Y6Q

 

Advertisements

From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: