Change Password Script

I’d been meaning to post this for quite some time but just haven’t gotten around to it – as paranoid administrators we often find the need to change our service account passwords and doing so with a product like SharePoint can be a rather significant effort if you consider all the various accounts that may be used in a least privileges model. If you’re just about to make hit this situation you’re likely to do a quick search and find the following support article: http://support.microsoft.com/kb/934838 – this article provides you with the stsadm commands you need as well as a sample script that you can use.

The problem I have is that the article doesn’t provide a complete script – the sample only addresses some SSP related settings and app pools – it makes mention of the commands needed to change the farm account but it doesn’t include those commands in the script. It also has a line where you have to go and manually make a change via the browser – this is because the out of the box stsadm commands don’t provide you with all the stuff you need to change all the passwords. Specifically there’s two missing – the default content access account and the user profile import account. Seeing as I consider myself a developer and not an administrator (though sometimes I wonder) I decided to build those missing commands which I’ve previously blogged about here and here.

Using these two commands I created the script shown below – note that you don’t necessarily need all the execadmsvcjobs calls but I prefer to make sure that all pending jobs complete before moving onto the next step. Also – you may not have as many accounts – you can either remove the unnecessary lines and/or change the variable values as needed but I’d encourage you to leave the variable names so that it is clearer what each account is used for. Of course this batch file will not actually make the password changes – if you need a script that will actually make the password change then look here. And finally – please, please, please do NOT leave this script on your server when you are done – it’s a huge security risk storing all the passwords in a script like this so you need to make sure that you either store the file in a secure location and/or blank the passwords out when not being utilized.

As always – if you have any comments or suggestions please let me know as I’m always looking for ways to improve and I’m by now means a batch file expert.

  1@echo off
  2
  3SET PATH=C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN;%PATH%
  4SET DOMAIN=spdev
  5SET SSP=SSP1
  6
  7rem *** Farm account (central admin app pool, timer jobs account)
  8set APP_POOL_CA_USER="%DOMAIN%\spfarm"
  9set APP_POOL_CA_PWD="pa$$w0rd"
 10
 11rem *** SharePoint SSP Service Account
 12set SSPSVC_USER="%DOMAIN%\sspsvc"
 13set SSPSVC_PWD="pa$$w0rd"
 14
 15rem *** SharePoint SSP Application Pool Account
 16SET APP_POOL_SSP_USER="%DOMAIN%\sspapppool"
 17SET APP_POOL_SSP_PWD="pa$$w0rd"
 18
 19rem *** SharePoint Server Search Service Account 
 20set SEARCH_USER="%DOMAIN%\sspsearch"
 21set SEARCH_PWD="pa$$w0rd"
 22
 23rem *** SharePoint Services Help Search Service Account 
 24set SEARCH_HELP_USER="%DOMAIN%\sphelpsearch"
 25set SEARCH_HELP_PWD="pa$$w0rd"
 26
 27rem *** Default content access account for office search
 28set CONTENT_USER="%DOMAIN%\sspcontent"
 29set CONTENT_PWD="pa$$w0rd"
 30
 31rem *** content access account for windows sharepoint services help search
 32set CONTENT_HELP_USER="%DOMAIN%\spcontentsearch"
 33set CONTENT_HELP_PWD="pa$$w0rd"
 34
 35rem *** User profile import account
 36set PROFILE_IMPORT_USER="%DOMAIN%\sspuserprofilesvc"
 37set PROFILE_IMPORT_PWD="pa$$w0rd"
 38
 39rem *** Portal application pool account
 40set APP_POOL_PORTAL_USER="%DOMAIN%\spportalapppool"
 41set APP_POOL_PORTAL_PWD="pa$$w0rd"
 42
 43rem *** Teams sites application pool account
 44set APP_POOL_TEAMS_USER="%DOMAIN%\spcollabapppool"
 45set APP_POOL_TEAMS_PWD="pa$$w0rd"
 46
 47rem *** My sites application pool account
 48set APP_POOL_MYSITE_USER="%DOMAIN%\spmysitesapppool"
 49set APP_POOL_MYSITE_PWD="pa$$w0rd"
 50
 51rem *** Excel Services Unattended User Account
 52set SVC_EXCEL_USER="%DOMAIN%\SPSSAcct_dev"
 53set SVC_EXCEL_PWD="Pa$$w0rd"
 54
 55goto startpoint
 56:startpoint
 57
 58
 59rem central admin
 60ECHO %DATE% %TIME%: Updating Central Admin password
 61stsadm -o updatefarmcredentials -userlogin %APP_POOL_CA_USER% -password %APP_POOL_CA_PWD% -identitytype configurableid
 62if not errorlevel 0 goto errhnd
 63
 64ECHO %DATE% %TIME%: Executing pending timer jobs
 65stsadm -o execadmsvcjobs
 66if not errorlevel 0 goto errhnd
 67
 68ECHO %DATE% %TIME%: Run "stsadm -o updatefarmcredentials -userlogin %APP_POOL_CA_USER% -password %APP_POOL_CA_PWD% -identitytype configurableid -local" on each WFE before continuing
 69pause
 70ECHO %DATE% %TIME%: Run "stsadm -o execadmsvcjobs" on each WFE before continuing.
 71pause
 72
 73iisreset /noforce
 74
 75rem application pools
 76ECHO %DATE% %TIME%: Updating app pool passwords for Portal
 77stsadm -o updateaccountpassword -userlogin %APP_POOL_PORTAL_USER% -password %APP_POOL_PORTAL_PWD% -noadmin
 78if not errorlevel 0 goto errhnd
 79
 80ECHO %DATE% %TIME%: Executing pending timer jobs
 81stsadm -o execadmsvcjobs
 82if not errorlevel 0 goto errhnd
 83
 84ECHO %DATE% %TIME%: Updating app pool passwords for Teams
 85stsadm -o updateaccountpassword -userlogin %APP_POOL_TEAMS_USER% -password %APP_POOL_TEAMS_PWD% -noadmin
 86if not errorlevel 0 goto errhnd
 87
 88ECHO %DATE% %TIME%: Executing pending timer jobs
 89stsadm -o execadmsvcjobs
 90if not errorlevel 0 goto errhnd
 91
 92ECHO %DATE% %TIME%: Updating app pool passwords for MySite
 93stsadm -o updateaccountpassword -userlogin %APP_POOL_MYSITE_USER% -password %APP_POOL_MYSITE_PWD% -noadmin
 94if not errorlevel 0 goto errhnd
 95
 96ECHO %DATE% %TIME%: Executing pending timer jobs
 97stsadm -o execadmsvcjobs
 98if not errorlevel 0 goto errhnd
 99
100ECHO %DATE% %TIME%: Updating app pool passwords for SSP
101stsadm -o updateaccountpassword -userlogin %APP_POOL_SSP_USER% -password %APP_POOL_SSP_PWD% -noadmin
102if not errorlevel 0 goto errhnd
103
104ECHO %DATE% %TIME%: Executing pending timer jobs
105stsadm -o execadmsvcjobs
106if not errorlevel 0 goto errhnd
107
108
109rem ssp - new
110ECHO %DATE% %TIME%: Updating ssp password for new installs
111stsadm -o editssp -title %SSP% -ssplogin %SSPSVC_USER% -ssppassword %SSPSVC_PWD%
112if not errorlevel 0 goto errhnd
113
114ECHO %DATE% %TIME%: Executing pending timer jobs
115stsadm -o execadmsvcjobs
116if not errorlevel 0 goto errhnd
117
118ECHO %DATE% %TIME%: Executing pending timer jobs
119stsadm -o execadmsvcjobs
120if not errorlevel 0 goto errhnd
121
122
123rem osearch
124ECHO %DATE% %TIME%: Updating osearch password
125stsadm -o osearch -farmserviceaccount %SEARCH_USER% -farmservicepassword %SEARCH_PWD%
126if not errorlevel 0 goto errhnd
127
128ECHO %DATE% %TIME%: Executing pending timer jobs
129stsadm -o execadmsvcjobs
130if not errorlevel 0 goto errhnd
131
132ECHO %DATE% %TIME%: Updating default content access account
133stsadm -o gl-updatedefaultcontentaccessaccount -username %CONTENT_USER% -password %CONTENT_PWD%
134if not errorlevel 0 goto errhnd
135
136ECHO %DATE% %TIME%: Executing pending timer jobs
137stsadm -o execadmsvcjobs
138if not errorlevel 0 goto errhnd
139
140iisreset /noforce
141
142rem spsearch
143ECHO %DATE% %TIME%: Updating spsearch password
144stsadm -o spsearch -farmserviceaccount %SEARCH_HELP_USER% -farmservicepassword %SEARCH_HELP_PWD%
145if not errorlevel 0 goto errhnd
146
147ECHO %DATE% %TIME%: Executing pending timer jobs
148stsadm -o execadmsvcjobs
149if not errorlevel 0 goto errhnd
150
151ECHO %DATE% %TIME%: Updating spsearch content access account
152stsadm -o spsearch -farmcontentaccessaccount %CONTENT_HELP_USER% -farmcontentaccesspassword %CONTENT_HELP_PWD%
153if not errorlevel 0 goto errhnd
154
155ECHO %DATE% %TIME%: Executing pending timer jobs
156stsadm -o execadmsvcjobs
157if not errorlevel 0 goto errhnd
158
159ECHO %DATE% %TIME%: Updating default profile import account
160stsadm -o gl-setuserprofiledefaultaccessaccount -username %PROFILE_IMPORT_USER% -password %PROFILE_IMPORT_PWD% -sspname %SSP%
161if not errorlevel 0 goto errhnd
162
163ECHO %DATE% %TIME%: Executing pending timer jobs
164stsadm -o execadmsvcjobs
165if not errorlevel 0 goto errhnd
166
167ECHO %DATE% %TIME%: Updating excel services unattended service account
168stsadm -o set-ecsexternaldata -ssp %SSP% -unattendedserviceaccountname %SVC_EXCEL_USER% -unattendedserviceaccountpassword %SVC_EXCEL_PWD%
169if not errorlevel 0 goto errhnd
170
171ECHO %DATE% %TIME%: Executing pending timer jobs
172stsadm -o execadmsvcjobs
173if not errorlevel 0 goto errhnd
174
175rem restarting IIS
176ECHO %DATE% %TIME%: Doing soft restart of IIS
177
178iisreset /noforce
179echo on
180goto end
181
182:errhnd
183
184echo An error occured - terminating script.
185
186:end

To use this script on WSS just remove the unnecessary elements (lines with the following commands: gl-setuserprofiledefaultaccessaccount, gl-updatedefaultcontentaccessaccount, editssp, osearch, and set-ecsexternaldata).