MOSS MVP

I've moved my blog to http://blog.falchionconsulting.com!. Please update your links. This blog is no longer in use--you can find all posts and comments at my new blog; I will no longer be posting to this site and comments have been disabled.

Wednesday, October 22, 2008

Change Password Script

I'd been meaning to post this for quite some time but just haven't gotten around to it - as paranoid administrators we often find the need to change our service account passwords and doing so with a product like SharePoint can be a rather significant effort if you consider all the various accounts that may be used in a least privileges model.  If you're just about to make hit this situation you're likely to do a quick search and find the following support article: http://support.microsoft.com/kb/934838 - this article provides you with the stsadm commands you need as well as a sample script that you can use. 

The problem I have is that the article doesn't provide a complete script - the sample only addresses some SSP related settings and app pools - it makes mention of the commands needed to change the farm account but it doesn't include those commands in the script.  It also has a line where you have to go and manually make a change via the browser - this is because the out of the box stsadm commands don't provide you with all the stuff you need to change all the passwords.  Specifically there's two missing - the default content access account and the user profile import account.  Seeing as I consider myself a developer and not an administrator (though sometimes I wonder) I decided to build those missing commands which I've previously blogged about here and here.

Using these two commands I created the script shown below - note that you don't necessarily need all the execadmsvcjobs calls but I prefer to make sure that all pending jobs complete before moving onto the next step.  Also - you may not have as many accounts - you can either remove the unnecessary lines and/or change the variable values as needed but I'd encourage you to leave the variable names so that it is clearer what each account is used for.  Of course this batch file will not actually make the password changes - if you need a script that will actually make the password change then look here.  And finally - please, please, please do NOT leave this script on your server when you are done - it's a huge security risk storing all the passwords in a script like this so you need to make sure that you either store the file in a secure location and/or blank the passwords out when not being utilized.

As always - if you have any comments or suggestions please let me know as I'm always looking for ways to improve and I'm by now means a batch file expert.

@echo off

SET PATH=C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN;%PATH%
SET DOMAIN=spdev
SET SSP=SSP1

rem *** Farm account (central admin app pool, timer jobs account)
set APP_POOL_CA_USER="%DOMAIN%\spfarm"
set APP_POOL_CA_PWD="pa$$w0rd"

rem *** SharePoint SSP Service Account
set SSPSVC_USER="%DOMAIN%\sspsvc"
set SSPSVC_PWD="pa$$w0rd"

rem *** SharePoint SSP Application Pool Account
SET APP_POOL_SSP_USER="%DOMAIN%\sspapppool"
SET APP_POOL_SSP_PWD="pa$$w0rd"

rem *** SharePoint Server Search Service Account 
set SEARCH_USER="%DOMAIN%\sspsearch"
set SEARCH_PWD="pa$$w0rd"

rem *** SharePoint Services Help Search Service Account 
set SEARCH_HELP_USER="%DOMAIN%\sphelpsearch"
set SEARCH_HELP_PWD="pa$$w0rd"

rem *** Default content access account for office search
set CONTENT_USER="%DOMAIN%\sspcontent"
set CONTENT_PWD="pa$$w0rd"

rem *** content access account for windows sharepoint services help search
set CONTENT_HELP_USER="%DOMAIN%\spcontentsearch"
set CONTENT_HELP_PWD="pa$$w0rd"

rem *** User profile import account
set PROFILE_IMPORT_USER="%DOMAIN%\sspuserprofilesvc"
set PROFILE_IMPORT_PWD="pa$$w0rd"

rem *** Portal application pool account
set APP_POOL_PORTAL_USER="%DOMAIN%\spportalapppool"
set APP_POOL_PORTAL_PWD="pa$$w0rd"

rem *** Teams sites application pool account
set APP_POOL_TEAMS_USER="%DOMAIN%\spcollabapppool"
set APP_POOL_TEAMS_PWD="pa$$w0rd"

rem *** My sites application pool account
set APP_POOL_MYSITE_USER="%DOMAIN%\spmysitesapppool"
set APP_POOL_MYSITE_PWD="pa$$w0rd"

rem *** Excel Services Unattended User Account
set SVC_EXCEL_USER="%DOMAIN%\SPSSAcct_dev"
set SVC_EXCEL_PWD="Pa$$w0rd"

goto startpoint
:startpoint


rem central admin
ECHO %DATE% %TIME%: Updating Central Admin password
stsadm -o updatefarmcredentials -userlogin %APP_POOL_CA_USER% -password %APP_POOL_CA_PWD% -identitytype configurableid
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Executing pending timer jobs
stsadm -o execadmsvcjobs
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Run "stsadm -o updatefarmcredentials -userlogin %APP_POOL_CA_USER% -password %APP_POOL_CA_PWD% -identitytype configurableid -local" on each WFE before continuing
pause
ECHO %DATE% %TIME%: Run "stsadm -o execadmsvcjobs" on each WFE before continuing.
pause

iisreset /noforce

rem application pools
ECHO %DATE% %TIME%: Updating app pool passwords for Portal
stsadm -o updateaccountpassword -userlogin %APP_POOL_PORTAL_USER% -password %APP_POOL_PORTAL_PWD% -noadmin
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Executing pending timer jobs
stsadm -o execadmsvcjobs
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Updating app pool passwords for Teams
stsadm -o updateaccountpassword -userlogin %APP_POOL_TEAMS_USER% -password %APP_POOL_TEAMS_PWD% -noadmin
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Executing pending timer jobs
stsadm -o execadmsvcjobs
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Updating app pool passwords for MySite
stsadm -o updateaccountpassword -userlogin %APP_POOL_MYSITE_USER% -password %APP_POOL_MYSITE_PWD% -noadmin
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Executing pending timer jobs
stsadm -o execadmsvcjobs
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Updating app pool passwords for SSP
stsadm -o updateaccountpassword -userlogin %APP_POOL_SSP_USER% -password %APP_POOL_SSP_PWD% -noadmin
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Executing pending timer jobs
stsadm -o execadmsvcjobs
if not errorlevel 0 goto errhnd


rem ssp - new
ECHO %DATE% %TIME%: Updating ssp password for new installs
stsadm -o editssp -title %SSP% -ssplogin %SSPSVC_USER% -ssppassword %SSPSVC_PWD%
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Executing pending timer jobs
stsadm -o execadmsvcjobs
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Executing pending timer jobs
stsadm -o execadmsvcjobs
if not errorlevel 0 goto errhnd


rem osearch
ECHO %DATE% %TIME%: Updating osearch password
stsadm -o osearch -farmserviceaccount %SEARCH_USER% -farmservicepassword %SEARCH_PWD%
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Executing pending timer jobs
stsadm -o execadmsvcjobs
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Updating default content access account
stsadm -o gl-updatedefaultcontentaccessaccount -username %CONTENT_USER% -password %CONTENT_PWD%
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Executing pending timer jobs
stsadm -o execadmsvcjobs
if not errorlevel 0 goto errhnd

iisreset /noforce

rem spsearch
ECHO %DATE% %TIME%: Updating spsearch password
stsadm -o spsearch -farmserviceaccount %SEARCH_HELP_USER% -farmservicepassword %SEARCH_HELP_PWD%
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Executing pending timer jobs
stsadm -o execadmsvcjobs
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Updating spsearch content access account
stsadm -o spsearch -farmcontentaccessaccount %CONTENT_HELP_USER% -farmcontentaccesspassword %CONTENT_HELP_PWD%
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Executing pending timer jobs
stsadm -o execadmsvcjobs
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Updating default profile import account
stsadm -o gl-setuserprofiledefaultaccessaccount -username %PROFILE_IMPORT_USER% -password %PROFILE_IMPORT_PWD% -sspname %SSP%
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Executing pending timer jobs
stsadm -o execadmsvcjobs
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Updating excel services unattended service account
stsadm -o set-ecsexternaldata -ssp %SSP% -unattendedserviceaccountname %SVC_EXCEL_USER% -unattendedserviceaccountpassword %SVC_EXCEL_PWD%
if not errorlevel 0 goto errhnd

ECHO %DATE% %TIME%: Executing pending timer jobs
stsadm -o execadmsvcjobs
if not errorlevel 0 goto errhnd

rem restarting IIS
ECHO %DATE% %TIME%: Doing soft restart of IIS

iisreset /noforce
echo on
goto end

:errhnd

echo An error occured - terminating script.

:end

To use this script on WSS just remove the unnecessary elements (lines with the following commands: gl-setuserprofiledefaultaccessaccount, gl-updatedefaultcontentaccessaccount, editssp, osearch, and set-ecsexternaldata).

2 comments:

Janice said...

Thank-you! I had just visited the MS site. Your site filled in the missing pieces.

ben curry said...

thanks, gary. just used this 'cause my scripts weren't with me today :-)

you rock.

-ben