Recipe 7.5. Setting the Service Account and PasswordProblemYou want to configure the account and password used by a service. SolutionUsing a graphical user interface
Using a command-line interface:> sc config <ServiceName> obj= <Domain>\<Username> password= <Password> The following command configures the MyMonitor service to log on using the local administrator account: > sc config MyMonitor obj= FS-RTP01\administrator password= foobar Using VBScript' This code configures the service account ' ------ SCRIPT CONFIGURATION ------ strUser = "<Domain>\<Username>" ' e.g., FS-RTP01\administration strPassword = "<Password>" ' e.g., foobar strSvcName = "<ServiceName>" ' e.g., MyMonitor strComputer = "<ServerName>" ' e.g., fs-rtp01 (use . for local server) ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") set objService = objWMI.Get("Win32_Service.Name='" & strSvcName & "'") intRC = objService.Change(,,,,,,strUser,strPassword) if intRC > 0 then WScript.Echo "Error setting service account: " & intRC else WScript.Echo "Successfully set service account" end if DiscussionIf you need to configure a user account to run a service under, make sure the account has the Log on as service right. Without this system right, the service will not start up correctly. The Services snap-in will automatically grant this right when you configure the log on account for a service. However, neither the command-line or scripting solutions do this. From the command line, you can use the ntrights.exe utility: > ntrights +r SeServiceLogonRight -u <User> Here is an example: > ntrights +r SeServiceLogonRight -u RALLENCORP\rallen Unfortunately, WMI doesn't support setting user rights, so if you need to do it programmatically, you'll have to shell out to the ntrights command. There are a couple of issues you need to be aware of if you configure a local or domain account for a service to run under. If you have a password policy enabled in your domain that forces users to change their password after a period of time, make sure you have a process in place to change service account passwords on a regular basis. Another option, albeit much less secure, is to configure service accounts to have nonexpiring passwords. If a service account has an expired password, it will cause the service to fail when starting. The same is true for accounts that are locked out. To avoid these problems, you can use local system accounts that don't have a password in the traditional sense. Here is an overview of these accounts:
See AlsoMS KB 279664 (How to Set Logon User Rights with the Ntrights.exe Utility) and MSDN: Change Method of the Win32_Service Class |