Recipe 10.19. Setting the Account and Password of a Service

Problem

You want to configure the account and password used by a service.

Solution

Using a graphical user interface

Open the Services snap-in.
In the left pane, double-click on the service you want to configure.
Click the Log On tab.
Select This Account.
Enter the domain and username of the account or click Browse to find it.
Enter and confirm the account's password.
Click OK.

Using a command-line interface

> sc config <ServiceName> obj= <Domain>\<Username> password= <Password>

The following command configures the MyMonitor service to use the local administrator account:

> sc config MyMonitor obj= RALLEN-WXP\administrator password= foobar

Using VBScript

' This code configures the service account ' ------ SCRIPT CONFIGURATION ------ strUser     = "<Domain>\<Username>"  ' e.g. FS-RTP01\administration strPassword = "<Password>"     ' e.g. foobar strSvcName  = "<ServiceName>"  ' e.g. MyMonitor strComputer = "<HostName>"     ' e.g. rallen-wxp (use . for local system) ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") set objService = objWMI.Get("Win32_Service.Name='" & strSvcName & "'") intRC = objService.Change(,,,,,,strUser,strPassword) if intRC > 0 then    WScript.Echo "Error setting service account: " & intRC else    WScript.Echo "Successfully set service account" end if

Discussion

If you need to configure a user account to run a service under, make sure the account has Log on as service right on the system. Without this, the service will not start up correctly. The Services snap-in will automatically grant this right when you configure the log on account for a service. However, neither the command line nor scripting solutions do this. From the command line, you can use the ntrights.exe utility from the Resource Kit:

> ntrights +r SeServiceLogonRight -u <User>

Here is an example:

> ntrights +r SeServiceLogonRight -u RALLENCORP\rallen

Unfortunately, WMI doesn't support setting user rights, so if you need to do it programmatically, you'll have to shell out to the ntrights command.

There are a couple issues you need to be aware of if you configure a local or domain account to run a service under. If have a password policy enabled in your domain that forces users to change their password after a period of time, make sure any service accounts you are using are configured to have nonexpiring passwords. If a service account has an expired password, it will cause the service to fail when starting. The same is true for accounts that are locked out.

To avoid these problems, you can use local system accounts that don't have a password in the traditional sense. Here is an overview of these accounts:

Local System: This account has full access to the underlying system. It has similar rights to the Administrator account. On a domain controller, it has administrator-level access to all objects in the domain. Be careful when using this account for a service.
Local Service: This account is similar to an authenticated user that is a member of the local Users group on the computer. It has anonymous access to network resources. This account is new in Windows XP.
Network Service: Like the Local Service account, this account has similar access to an authenticated user that is a member of the local Users group. The main difference with this account is that it accesses network resources using the credentials of the computer account. This account is new in Windows XP.