Recipe7.5.Setting the Service Account and Password

Recipe 7.5. Setting the Service Account and Password

Problem

You want to configure the account and password used by a service.

Solution

Using a graphical user interface

Open the Services snap-in.
In the left pane, double-click on the service you want to configure.
Click the Log On tab.
Select This Account.
Enter the domain and username of the account or click Browse to find it.
Enter and confirm the account's password.
Click OK.

Using a command-line interface:

> sc config <ServiceName> obj= <Domain>\<Username> password= <Password>

The following command configures the MyMonitor service to log on using the local administrator account:

> sc config MyMonitor obj= FS-RTP01\administrator password= foobar

Using VBScript

' This code configures the service account ' ------ SCRIPT CONFIGURATION ------ strUser     = "<Domain>\<Username>"  ' e.g., FS-RTP01\administration strPassword = "<Password>"       ' e.g., foobar strSvcName  = "<ServiceName>"    ' e.g., MyMonitor strComputer = "<ServerName>"     ' e.g., fs-rtp01 (use . for local server) ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") set objService = objWMI.Get("Win32_Service.Name='" & strSvcName & "'") intRC = objService.Change(,,,,,,strUser,strPassword) if intRC > 0 then    WScript.Echo "Error setting service account: " & intRC else    WScript.Echo "Successfully set service account" end if

Discussion

If you need to configure a user account to run a service under, make sure the account has the Log on as service right. Without this system right, the service will not start up correctly. The Services snap-in will automatically grant this right when you configure the log on account for a service. However, neither the command-line or scripting solutions do this. From the command line, you can use the ntrights.exe utility:

> ntrights +r SeServiceLogonRight -u <User>

Here is an example:

> ntrights +r SeServiceLogonRight -u RALLENCORP\rallen

Unfortunately, WMI doesn't support setting user rights, so if you need to do it programmatically, you'll have to shell out to the ntrights command.

There are a couple of issues you need to be aware of if you configure a local or domain account for a service to run under. If you have a password policy enabled in your domain that forces users to change their password after a period of time, make sure you have a process in place to change service account passwords on a regular basis. Another option, albeit much less secure, is to configure service accounts to have nonexpiring passwords. If a service account has an expired password, it will cause the service to fail when starting. The same is true for accounts that are locked out.

To avoid these problems, you can use local system accounts that don't have a password in the traditional sense. Here is an overview of these accounts:

Local System: This account has full access to the underlying system. It has similar rights to the Administrator account. On a domain controller, it has administrator-level access to all objects in the domain. Be careful when using this account for a service.
Local Service: This account is similar to an authenticated user that is a member of the local Users group on the computer. It has anonymous access to network resources. This account is new in Windows XP and Windows Server 2003.
Network Service: Like the Local Service account, this account has similar access to an authenticated user that is a member of the local Users group. The main difference with this account is that it can access network resources using the credentials of the computer account. This account is new in Windows XP and Windows Server 2003.