Announcement

Collapse
No announcement yet.

How to change serivce account passwords

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • murtazazm
    started a topic How to change serivce account passwords

    How to change serivce account passwords

    We have over 100 servers on our network. Some of the applications installed on these servers run as services which require a domain account to logon as a service. To compound the problem some services are using different accounts across the servers.

    We now have a requirement to change their passwords. We are faced with the following problem.

    1. How to find out which service is running with which account on a server.

    2. Change the service accounts password on that server after we change the password of the account.

    We are currently in a mixed mode with NT 4.0 and W2K3.

    Any help or pointers would be greatly appreciated.

    Thanks in advance.

    Murtaza

  • guyt
    replied
    I am not being able to access the archives of activedir.org mailing list, so I am attaching a script by Dean Wells that does most of the work:
    Code:
    :: SVCcontent - Queries and list all services on all servers within a specified domain running within a specified security context
    :: Dean Wells - MSEtechnology - Sept. 2002
    
    @echo off
    setlocal ENABLEDELAYEDEXPANSION
    
    :: Begin script body
    echo/
    
    :: Define initial environment
    set fqdn=%1
    set dn=dc=%fqdn:.=,dc=%
    set principal=%2
    set scriptname=SVCcontext
    set log=%TEMP%\%scriptname%.log
    set stdout=nul
    set stderr=nul
    set found=0
    
    :: Determine if supplied arguments were sufficient
    if "%2"=="" (
    	echo ERROR - Insufficient arguments, "%*"
    	goto :SYNTAX
    )
    
    :: Define extreme SC query buffer to cope with unfamiliar environments
    set bufsize=50000
    
    :: Locate critical executables
    for %%e in (find.exe sc.exe ldifde.exe) do (
    	set where="%%~$PATH:e"
    	if "!where!"=="""" (
    		echo ERROR - Required executable, "%%e", not located within the path
    		goto :END
    	)
    )
    
    :: Cleanup existing temporary/log files and prepare log header
    del %TEMP%\servers.log 1>%stdout% 2>%stderr%
    del %log% 1>%stdout% 2>%stderr%
    echo %scriptname% log, "%log%" - >>%log%
    echo   * created by "%USERNAME%" at "%TIME%" on "%DATE%">>%log%
    echo   * servers in domain "%fqdn%" queried>>%log%
    echo   * queried for match or partial match on "%principal%" >>%log%
    echo/ >>%log%
    echo [[BEGIN LOG]] >>%log%
    echo/ >>%log%
    
    :: Determine servers to query
    ldifde -j %TEMP% -s %fqdn% -d %dn% -r (objectClass=computer) -l dnshostname -f %TEMP%\servers.log 1>%stderr% 2>%stderr%
    if errorlevel 1 (
    	echo ERROR - LDAP query failed enumerating server list
    	goto :SYNTAX
    )
    
    :: Prepare display
    echo STATUS - Working ...
    echo/
    
    :: Parse the servers
    for /f "tokens=2 delims=: " %%h in ('type %TEMP%\servers.log ^| find /i "dnshostname: "') do (
    	call :GETSVCS %%h
    )
    
    :: Clean up display and display log
    if "%found%"=="1" (
    	echo/ >>%log%
    	echo/
    	echo STATUS - Done^^!
    	start "" notepad %log%
    ) else (
    	echo STATUS - No services located
    	echo          * Queried domain "%fqdn%"
    	echo          * Queried for match or partial match on "%principal%"
    )
    echo [[END LOG]] >>%log%
    
    :: Script body ends
    goto :END
    
    :: Define functions and procedures
    
    :GETSVCS
    for /f "tokens=2 delims=: " %%s in ('sc \\%1 query state^= all bufsize^= %bufsize% ^| find "SERVICE_NAME"') do (
    	call :QUERYSVCS %1 %%s
    )
    goto :EOF
    
    :QUERYSVCS
    for /f "tokens=2 delims=: " %%p in ('sc \\%1 qc %2 ^| find "SERVICE_START_NAME"') do (
    	echo %%p | find /i "%principal%" 1>%stderr% 2>%stderr%
    	if not errorlevel 1 (
    		set found=1
    		echo + SERVICE %2, SERVER %1, CONTEXT %%p
    		echo + SERVICE %2 on SERVER %1 runs in the context of %%p >>%log%
    	)
    )
    goto :EOF
    
    :SYNTAX
    echo/
    echo SYNTAX - %scriptname% [domain FQDN] [username]
    echo/
    echo   * [domain FQDN] is the DNS domain name to query for servers
    echo   * [username] is the name or partial name of the service account
    echo/
    echo     e.g. - %scriptname% microsoft.com Administrator
    echo  or ...
    echo     e.g. - %scriptname% microsoft.com MICROSOFT\Admin
    echo/
    
    :: End script and perform necessary cleanup
    :END
    del %TEMP%\servers.log 1>%stderr% 2>%stderr%
    This is supposed to be the original post:
    http://unagi.mail-archive.com:8080/a.../msg14745.html (looks like our proxy does not like http on this port)

    Leave a comment:


  • Greel
    replied
    You can see the account the service is running under in the services screen, last column (Log On As)

    to change the passwords, simply change the password on the domain controller, then go to the server services and get the properties of that service, go to the Log On Tab, and fill in the new password.

    That should do the trick.

    Leave a comment:

Working...
X