Configuring Service Account Passwords

Microsoft® Windows® 2000 Scripting Guide

« Previous | Next »   

When you assign an account to a service, the SCM requires the correct password for that account before it makes the assignment. If you supply an incorrect password, the SCM rejects the account. If you configure a service account using the LocalSystem, LocalService, or NetworkService account, you do not need to supply an account password because these accounts do not have passwords.

The SCM stores the account password in the services database. After the password is assigned, however, the SCM does not ensure that the password stored in the services database and the password assigned to the user account in Active Directory continue to match. Consequently, a situation similar to the following could occur:

1. You configure a service to run under a particular user account.
2. The service starts up under that account by using the current account password.
3. You change the password for the user account.
4. The service continues to run. However, if the service stops, you cannot restart it because the SCM continues to use the old, invalid password. Changing the password in Active Directory does not change the password stored in the services database.

If you run services under regular user accounts, you need to update those service passwords each time the user account password changes. This can be particularly time-consuming if you are not sure which services are running under that account or which computers have services running under that account.

Fortunately, you can use WMI to check the service accounts on all your computers and, if necessary, change the service account password.

Scripting Steps

Listing 15.21 contains a script that changes the service account password for all scripts running under Netsvc. To carry out this task, the script must perform the following steps:

1. Create a variable to specify the computer name.
2. Use a GetObject call to connect to the WMI namespace root\cimv2, and set the impersonation level to "impersonate."
3. Use the ExecQuery method to query the Win32_Service class. To limit data retrieval to a specific set of services, a Where clause is included that restricts the collection to those services with the ServiceName .\\Netsvc (a second backslash is required whenever a single backslash is used in a query).
4. For each service in the collection, use the Change method to change the password to "password".

   When using the Change method, the password must be the eighth parameter passed to the method. Because of this, the password is preceded by seven empty arguments (represented by the seven commas). Unless you are using a variable, the password must be enclosed in quotation marks.

Listing 15.21   Changing a Service Account Password

1 2 3 4 5 6 7 8 

strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colServiceList = objWMIService.ExecQuery _     ("SELECT * FROM Win32_Service WHERE StartName = '.\\NetSvc'") For Each objservice in colServiceList     errReturn = objService.Change( , , , , , , , "password") Next

Send us your feedback

« Previous | Next »