How to set a service account password in PowerShell

The below script assigns an account to the service, but the password never seems to take, despite it being correct. I always have to manually reset the service account password in the services console. I'd like to be able to run the script so that the service has it's account and password set and restarted. Thanks.

$localaccount = ".\anAccount"
$newpassword = "strongPassword"
$strCompName = ""
$filter = "avbackup"

$service = Get-WmiObject win32_Service -Filter "Name='$filter'" 
$service.Change($null,$null,$null,$null,$null,$null,$localaccount,$newpassword)
$service.StopService()
  while ($service.Started){
    sleep 2
    $service = Get-WMIObject -ComputerName $strCompName -namespace "root\cimv2" -class Win32_Service -Filter $filter
  }
  $service.StartService()

Open in new window

barnescoAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
QlemoConnect With a Mentor Batchelor, Developer and EE Topic AdvisorCommented:
Jason, that doesn't really help much. It adds some error handling and comfort, but it doesn't fix the issue.

Own observations:
In my tests, I was able to set the password with ReturnValue 0 no matter if
* the account has Log on as Service privilege
* the password is correct
the account name has been checked, however. The wrong password or missing privilege is resulting in a ResultValue of 15 when trying to start the service.
(Note: The service needs to be stopped prior to applying changes, otherwise they might not be reflected.)

Having assigned the Log on as Service privilege manually, the .Change works as expected. Wrong password = ReturnValue 15 on start, good password = ReturnValue 0 at start (ok).

So I was correct that the behaviour is the same if the password is wrong or the Log on as Service privilege missing,
but wrong about the .Change returning an error with a wrong password.

Further:
([ADSI]"WinNT://$computername,computer").GetObject('user', $username).UserFlags

Open in new window

does not reflect the Log on as Service privilege. After assigning the priv manually the UserFlags value did not change.
Reading more about it, the common suggestions are as stated in http://www.morgantechspace.com/2013/11/Set-or-Grant-Logon-As-A-Service-right-to-User.html, which either involves the usage of a custom DLL you can download, or the good old ntrights from one of the Windows Resource Kits.
1
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Are you getting an error when calling .Change? If not, the password is set correctly, and you might need to assign the Log on as a Service privilege to the account used.
0
 
barnescoAuthor Commented:
There's no error. The Log on as a Service privilege would be assigned when the service is restarted, but it won't restart due to an incorrect password (or so it thinks). That's why I have to reset the password and manually restart it myself.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
I cannot see how the privilege should get assigned. Do you have other code for doing so, or are you using a group policy to do? "Would be assigned when the service is restarted" is not true without taking other actions.
I can't recall exactly, but the effects from this privilege missing might be the same as if you set a wrong password.
If it is the privilege, changing to a wrong password should report a script failure. Changing it back should succeed, and the password being set properly.
0
 
barnescoAuthor Commented:
Here's what I run first to create the account and password:

$computername = $env:computername   # place computername here for remote access
$username = 'anAccount'
$password = 'StrongPassword'
$desc = 'Backup service account'


$computer = [ADSI]"WinNT://$computername,computer"
$user = $computer.Create("user", $username)
$user.SetPassword($password)
$user.Setinfo()
$user.description = $desc
$user.setinfo()
$user.UserFlags = 65536
$user.SetInfo()
$group = [ADSI]("WinNT://$computername/administrators,group")
$group.add("WinNT://$username,user")

Open in new window

0
 
Jason CrawfordTransport NinjaCommented:
$password = ConvertTo-SecureString 'StrongPassword' -AsPlainText -Force

Really though you should be storing your passwords in an encrypted fashion if they're being used in a script:

https://blog.kloud.com.au/2016/04/21/using-saved-credentials-securely-in-powershell-scripts/
0
 
get-ADuser -F ($_.Name -eq "Todd")I.T. ManagerCommented:
$localaccount = ".\anAccount"
$newpassword = ConvertTo-SecureString "strongPassword" -AsPlainText -Force
$strCompName = ""
$filter = "avbackup"

$service = Get-WmiObject win32_Service -Filter "Name='$filter'"
$service.Change($null,$null,$null,$null,$null,$null,$localaccount,$newpassword)
$service.StopService()
  while ($service.Started){
    sleep 2
    $service = Get-WMIObject -ComputerName $strCompName -namespace "root\cimv2" -class Win32_Service -Filter $filter
  }
  $service.StartService()
1
 
barnescoAuthor Commented:
Same error--The service did not start due to a logon failure.
0
 
Jason CrawfordTransport NinjaCommented:
I think you have to stop the service before attempting to change the password.  Try this:

$localaccount = ".\anAccount"
$newpassword = ConvertTo-SecureString "strongPassword" -AsPlainText -Force
$strCompName = ""
$filter = "avbackup"

$service = Get-WmiObject win32_Service -Filter "Name='$filter'"
$stop = $service.StopService()
if ($stop.returnvalue -eq 0) {
  $change = $service.Change($null,$null,$null,$null,$null,$null,$localaccount,$newpassword,$null,$null,$null)
  if ($change.returnvalue -eq 0) {
    Write-Host "The $filter service credentials were changed successfully" -ForegroundColor Green
  }
  else { 
    Write-Host "There was an error attempting to change the $filter service account credentials.  The error code was $($change.returnvalue)" -ForegroundColor Red
    break
  }
}
else {
  Write-Host "There was an error attempting to stop the $filter service.  The error code was $($stop.returnvalue)" -ForegroundColor Red
}

Open in new window

0
 
get-ADuser -F ($_.Name -eq "Todd")I.T. ManagerCommented:
Says here that you cannot use a secure string for change method.,   Also It looks like there are 11 parameters.  Not sure you need $null identifying them all.   Meaning adding 3 more $nulls after the eighth. (which is for password.

https://mcpmag.com/articles/2015/01/22/password-for-a-service-account-in-powershell.aspx


$localaccount = ".\anAccount"
 $newpassword = ConvertTo-SecureString "strongPassword" -AsPlainText -Force
  $BSTR = [system.runtime.interopservices.marshal]::SecureStringToBSTR($newpassword)
  $newpassword = [system.runtime.interopservices.marshal]::PtrToStringAuto($BSTR)



 $strCompName = ""
 $filter = "avbackup"

 $service = Get-WmiObject win32_Service -Filter "Name='$filter'"
 $service.Change($null,$null,$null,$null,$null,$null,$localaccount,$newpassword)
 $service.StopService()
   while ($service.Started){
     sleep 2
     $service = Get-WMIObject -ComputerName $strCompName -namespace "root\cimv2" -class Win32_Service -Filter $filter
   }
   $service.StartService()
0
 
Jason CrawfordTransport NinjaCommented:
Man it looks like we're trying to reinvent the wheel.  There is already a script for this in the Gallery:

https://gallery.technet.microsoft.com/Powershell-How-to-change-be88ce7e
0
 
Jason CrawfordTransport NinjaCommented:
Impressive work as always Qlemo
0
 
barnescoAuthor Commented:
Thank you. I've used the carbon.dll to remotely restart the account from another server, but I hadn't tried locally, so this will be the best solution. Thanks to everyone who contributed.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.