Changing SharePoint 2013 farm passwords
Another recent case from the customer.
What they had is a farm which was deployed with autospinstaller. https://autospinstaller.codeplex.com/ So they have quite a number of accounts for various SharePoint services , windows services and application pools.
So how should we change the accounts?
The easiest way (that was implemented at the customer) is to have account to be registered as managed accounts.
This way you or SharePoint can automatically change passwords for the accounts, and update all relevant records.
The managed account can change the passwords in AD or just update the SharePoint records. In our case there were some errors we have not resolved, so we have let the AD admins change the password and then we have changed the things in SharePoint.
So what happens after you change the AD account password?
If you do nothing, there will be problems. Most likely though you will only notice the problems after you restart the server.
The reason is that there are
Windows Service registrations on farm computers containing copies of the passwords
IIS Pools registrations containing copies of the passwords
In some cases (like search or workflow) other entities contain the reference to the password.
Managed accounts
The benefit of managed account is that SharePoint can automate some of these actions across the farm. Namely - changing the windows service registrations and iis pools registrations.
If you choose to change the passwords (and not let them be changed automatically), there are basically 2 ways to do it.
Option one - Central Admin
Press the edit button
Enter new password and press ok below
Note that option one - Set account password to a new value will try to change the password in AD first. Option two will just update the relevant services and IIS pools.
In some cases you would prefer to use PowerShell. If the account you are changing is also used to run the Central Administration application pool, then your command will kinda fail in the middle cause it will run under the pool that is going to be reset!
In this case you can use the Set-SPManagedAccount command
https://technet.microsoft.com/en-us/library/ff607617(v=office.16).aspx
If you want this command to change the AD password use this format
Set-SPManagedAccount -Identity $username -NewPassword $newpassword -ConfirmPassword $newpassword
If you want to use an existing password - use this one.
Set-SPManagedAccount -Identity $username -ExistingPassword $newpassword -UseExistingPassword:$true
I have made a script that reads accounts and new passwords from the csv files and updates them in a bulk.
<# .SYNOPSIS Changes managed account passwords at the farm. .DESCRIPTION Changes accounts using the provided CSV file. .EXAMPLE .\changepasswords.ps1 -inputFile "yourfile.csv" -newPasswords:$false .NOTES Author: Marat Bakirov Date: 05 July 2016 #> [cmdletbinding()] param( [string] $InputFile = "accountsandpasswords.csv", [switch] $newPasswords = $true )
####################################################
# Configurables
####################################################
Add-PSSnapin Microsoft.Sharepoint.Powershell
####################################################
# Main
####################################################
function Main
{
$passwords = Import-Csv $InputFile
$passwords | foreach {
$username = $_.Username
$newpwd1 = $_.NewPassword
$newpassword = ConvertTo-SecureString -String $newpwd1 -AsPlainText -Force
$newpwd1
if ($newpasswords)
{
Write-Host "changing password for {$username} to a new one"
Set-SPManagedAccount -Identity $username -NewPassword $newpassword -ConfirmPassword $newpassword -Confirm:$false
}
else
{
Write-Host "changing password for {$username} to an existing one"
Set-SPManagedAccount -Identity $username -ExistingPassword $newpassword -Confirm:$false -UseExistingPassword:$true
}
}
}
Main
How to change other passwords
If the account participates in the user profile sync, search or workflow farm, you might need to run additional scripts.
User profile sync
These accounts are managed and are changed within SharePoint but are also used for the User Profile Sync. So an additional configuration might be required.
Good reference can be found here
https://blog.zubairalexander.com/managing-passwords-for-service-accounts-in-sharepoint-sql-server/ - section 5 5. User Profile Synchronization Connection Account
Search crawler account
This has an additional impact – the search content account has to be updated in the active directory first and then updated in the search center.
https://technet.microsoft.com/en-au/library/dn178512.aspx
Workflow and service bus farm accounts
On each server in the farm that has workflow installed run the Service Bus PowerShell in the elevated mode. (Note: if the service buspower shell is missing, then skip the procedure for this server).
Run the changewfpassword.ps1 script.
The script will prompt for the new Password for the svcInsiteWfProd/ svcInsiteWfTest account.
Write-Host "Please enter a new password" $passwordText = Read-Host $AccountPassword = ConvertTo-SecureString -String $passwordText -AsPlainText -Force
Stop-WFHost -Verbose
Update-WFHost -RunAsPassword $AccountPassword –Verbose
Start-WFHost -Verbose
Stop-SBHost -Verbose
Update-SBHost -RunAsPassword $AccountPassword –Verbose
Start-SBHost -Verbose
Source code
The scripts could be found here