No announcement yet.

How to change serivce account passwords

  • Filter
  • Time
  • Show
Clear All
new posts

  • How to change serivce account passwords

    We have over 100 servers on our network. Some of the applications installed on these servers run as services which require a domain account to logon as a service. To compound the problem some services are using different accounts across the servers.

    We now have a requirement to change their passwords. We are faced with the following problem.

    1. How to find out which service is running with which account on a server.

    2. Change the service accounts password on that server after we change the password of the account.

    We are currently in a mixed mode with NT 4.0 and W2K3.

    Any help or pointers would be greatly appreciated.

    Thanks in advance.


  • #2
    You can see the account the service is running under in the services screen, last column (Log On As)

    to change the passwords, simply change the password on the domain controller, then go to the server services and get the properties of that service, go to the Log On Tab, and fill in the new password.

    That should do the trick.


    • #3
      I am not being able to access the archives of mailing list, so I am attaching a script by Dean Wells that does most of the work:
      :: SVCcontent - Queries and list all services on all servers within a specified domain running within a specified security context
      :: Dean Wells - MSEtechnology - Sept. 2002
      @echo off
      :: Begin script body
      :: Define initial environment
      set fqdn=%1
      set dn=dc=%fqdn:.=,dc=%
      set principal=%2
      set scriptname=SVCcontext
      set log=%TEMP%\%scriptname%.log
      set stdout=nul
      set stderr=nul
      set found=0
      :: Determine if supplied arguments were sufficient
      if "%2"=="" (
      	echo ERROR - Insufficient arguments, "%*"
      	goto :SYNTAX
      :: Define extreme SC query buffer to cope with unfamiliar environments
      set bufsize=50000
      :: Locate critical executables
      for %%e in (find.exe sc.exe ldifde.exe) do (
      	set where="%%~$PATH:e"
      	if "!where!"=="""" (
      		echo ERROR - Required executable, "%%e", not located within the path
      		goto :END
      :: Cleanup existing temporary/log files and prepare log header
      del %TEMP%\servers.log 1>%stdout% 2>%stderr%
      del %log% 1>%stdout% 2>%stderr%
      echo %scriptname% log, "%log%" - >>%log%
      echo   * created by "%USERNAME%" at "%TIME%" on "%DATE%">>%log%
      echo   * servers in domain "%fqdn%" queried>>%log%
      echo   * queried for match or partial match on "%principal%" >>%log%
      echo/ >>%log%
      echo [[BEGIN LOG]] >>%log%
      echo/ >>%log%
      :: Determine servers to query
      ldifde -j %TEMP% -s %fqdn% -d %dn% -r (objectClass=computer) -l dnshostname -f %TEMP%\servers.log 1>%stderr% 2>%stderr%
      if errorlevel 1 (
      	echo ERROR - LDAP query failed enumerating server list
      	goto :SYNTAX
      :: Prepare display
      echo STATUS - Working ...
      :: Parse the servers
      for /f "tokens=2 delims=: " %%h in ('type %TEMP%\servers.log ^| find /i "dnshostname: "') do (
      	call :GETSVCS %%h
      :: Clean up display and display log
      if "%found%"=="1" (
      	echo/ >>%log%
      	echo STATUS - Done^^!
      	start "" notepad %log%
      ) else (
      	echo STATUS - No services located
      	echo          * Queried domain "%fqdn%"
      	echo          * Queried for match or partial match on "%principal%"
      echo [[END LOG]] >>%log%
      :: Script body ends
      goto :END
      :: Define functions and procedures
      for /f "tokens=2 delims=: " %%s in ('sc \\%1 query state^= all bufsize^= %bufsize% ^| find "SERVICE_NAME"') do (
      	call :QUERYSVCS %1 %%s
      goto :EOF
      for /f "tokens=2 delims=: " %%p in ('sc \\%1 qc %2 ^| find "SERVICE_START_NAME"') do (
      	echo %%p | find /i "%principal%" 1>%stderr% 2>%stderr%
      	if not errorlevel 1 (
      		set found=1
      		echo + SERVICE %2, SERVER %1, CONTEXT %%p
      		echo + SERVICE %2 on SERVER %1 runs in the context of %%p >>%log%
      goto :EOF
      echo SYNTAX - %scriptname% [domain FQDN] [username]
      echo   * [domain FQDN] is the DNS domain name to query for servers
      echo   * [username] is the name or partial name of the service account
      echo     e.g. - %scriptname% Administrator
      echo  or ...
      echo     e.g. - %scriptname% MICROSOFT\Admin
      :: End script and perform necessary cleanup
      del %TEMP%\servers.log 1>%stderr% 2>%stderr%
      This is supposed to be the original post: (looks like our proxy does not like http on this port)
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"