次の方法で共有

How to Recover Passwords for SharePoint Managed Accounts

  • [アーティクル]

This post talks about how to recover passwords for managed SharePoint accounts. This can also serve as a lesson for anybody who owns a SharePoint sever: Be careful of who you let sit at your console. It's also a great testament as to why automatic password changes are a great new feature. The process itself isn't intuitive, and you may have to use a mix of technologies, but everything included in this blog post is documented well enough collectively on the internet that somebody looking for it will find it.

 

Background

I've had this question a few times from customers: "I forgot the password for 'insert service that supports managed accounts here'; I need to recover the password. Is there any way I can retrieve the password?" Initially my answer used to be no, and then it turned into it depends, and now for sure, it's a definite yes.

Approach

The approach I'm taking is actually very simple, and it's basically only a few steps.

  • Create a new application pool using the managed account for which you wish to retrieve the password
  • Use Appcmd to retrieve the password for the application pool you just created.

 

Solution

As I said, there are only a few steps involved in order to retrieve a password for a managed account. The first thing we need to do is create an application pool using the managed account. In order to do that, we need to retrieve specific managed account and assign it to a variable using the Get-SPManagedAccount cmdlet. In the screenshot below I'm retrieving a managed account and assigning it to the ' $ManagedAccount' variable.

Now that we have our managed account, we're ready to create an application pool. Here we make a decision. We either create a new service application, or a new web application. I simply create a new web application, one that's not addressable in order to prevent people from actually trying to use it. The reason I do this is because it leaves less of a footprint on the server. I tried simply creating a new SPServiceApplicationPool, but this does not present itself as an application pool until the actual service application is deployed onto your server. In order to do this we can use the New-SPWebApplication PowerShell cmdlet. We can see the Web Application and Application Pool have both been created in the screenshot below:

 

We can also retrieve the Application pool using PowerShell as well by using $WebApp.ApplicationPool, as shown in the screenshot below:

 

Now that we have a web application created, and an application pool, we'll have to switch over to appcmd.exe to retrieve the password for the application pool. The line that we'll be using to retrieve the password (from PowerShell) is pretty simple, and looks something like this: cmd.exe /c C:\windows\system32\inetsrv\appcmd.exe list apppool "Name of Application Pool" /text:ProcessModel.Password

This will produce and output as displayed in the screenshot below:

 

You can download the Password Retrieval Script from this location: Download RetrievePassword.ps1 (zipped)

Usage

To use this script you must be logged in with an account which is a local administrator and a farm administrator. Simply edit the script variable to indicate your managed account, and run the PowerShell script.

 

Feedback

As always, if you have any questions or feedback, let me know. If you have any ideas to optimize the script, I'd like to hear that too. Thanks for reading!

You can also follow me on Twitter:

 RCormier_MSFT

Comments

  • Anonymous
    August 13, 2012
    The comment has been removed

  • Anonymous
    August 13, 2012
    Hi Steven, Yes, the web aplication is removed, and there is some cleanup for some risidual artifiacts that I'm also cleaning up as part of the removal process.  Effectively, the server should be left in the same condition as it was before you ran the script, based on my testing.  If you do run the script and find anything out of place, let me know and I'll make sure to address it.

  • Anonymous
    September 24, 2012
    The comment has been removed

  • Anonymous
    September 24, 2012
    Hey Steven, You can definitely change the port.  Optionally, you could also include the -hostheader parameter as well.  I'll keep that in mind and update the script within the next few weeks. Thanks,

  • Anonymous
    September 24, 2012
    The comment has been removed

  • Anonymous
    April 26, 2013
    My solution is a little more elegant and doesn't require Farm Administrator rights: gallery.technet.microsoft.com/.../Recover-SharePoint-Farm-3ddb6577

  • Anonymous
    March 26, 2015
    This is awesome. Thanks, helps me a lot!

  • Anonymous
    July 09, 2015
    Thank you very much, you saved my day! This trick is super cool.

  • Anonymous
    September 22, 2015
    The comment has been removed

  • Anonymous
    November 24, 2015
    There is a way to query the password of the managed account directly via Reflection and Marshaling as described in this post: pholpar.wordpress.com/.../recovering-passwords-for-sharepoint-managed-accounts