none
Trouble updating service logon account RRS feed

  • Question

  • I am trying to write a couple of functions to do three things (see code below):

    1. Prompt the user for a local account/password
    2. Change the password of the local account
    3. Set a service to start the local account

    I'm using the change method of the win32_service class, which requires a string for the password and I have verified that the password is a string. I have also verified that the service account's password is actually getting reset, by running an executable as the service account.

    When I run the Configue-Service function, everything looks fine (the Return value is 0), but when I start the service, Powershell says:

    Start-Service : Service 'Background Intelligent Transfer Service (bits)' cannot be started due to the following error: Cannot start service bits on computer '.'.

    And if I try to start it through the Services MMC, it says:

    Error 1069: The service did not start due to a logon failure

    Now, if I run the $svc.Change command and manually enter the password (not in a variable), the service starts fine.

    Why am I unable to correctly set the service's logon account, when providing the password in a variable? Is there a better way to achieve my goals? Thanks.

    Code:

    Function Update-ServiceAcctPassword {
        Param (
            $serviceAccount
        )
        
        #Update the password on the local host
        $password = Read-Host -prompt "Enter new password for user" -AsSecureString
        $decodedpassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
        $user = [adsi]"WinNT://$env:COMPUTERNAME/$serviceAccount"
        $user.SetPassword($decodedpassword)
        $user.SetInfo()
    
        $decodedpassword
    
    }
    
    Function Configure-Service {
        Param (
            $serviceAccount,
            $password
        )
    
        $svc = Get-WmiObject win32_service -Filter "Name='bits'"
        $svc.Change($null,$null,$null,$null,$null,$null,".\$serviceAccount","$password")
        Start-Service bits
    }
    
    $password = Update-ServiceAcctPassword -serviceAccount bits
    If ($password.GetType().Name -eq 'String') {
        Write-Output "The password object is a string."
        Configure-Service -serviceAccount bits -password $password
    }
    Else {
        Write-Output "Nope, the password is not a string."
    }
    
    Start-Service bits

    Thursday, March 31, 2016 3:23 PM

Answers

All replies

  • No need to reinvent the wheel. Use the script here:

    Windows IT Pro - Changing Service Credentials Using PowerShell

    The Set-ServiceCredential.ps1 script from that article can update service account passwords.


    -- Bill Stewart [Bill_Stewart]

    Thursday, March 31, 2016 3:40 PM
    Moderator
  • That looks good, but I don't think it will work for me.

    1. I want to prompt the user for the credential in the function where the local account's password gets reset, and not again.
    2. Eventually, we will not even prompt the user for a credential. Instead, the script will reach out to our password repository over the repository's API.

    That's why I need to understand why the variable I'm passing into Configure-Service isn't working.

    Thursday, March 31, 2016 3:50 PM
  • The script uses the -ServiceCredential parameter, which is a PSCredential object.

    You can retrieve the password from your repository and construct a PSCredential object from it and pass it to the script.


    $cred = New-Object Management.Automation.PSCredential(
      "username",
      (ConvertTo-SecureString "password" -AsPlainText -Force)
    )

    This example creates a PSCredential object, and you can pass this to the -ServiceCredential parameter.

    Hint: You can often find useful information by searching. For example:

    http://www.google.com/search?&q=create+pscredential+object


    -- Bill Stewart [Bill_Stewart]

    Thursday, March 31, 2016 4:02 PM
    Moderator
  • To just change the password using a plain text password you can use this:

    cmd /c "sc config spooler password=Mypassword"

    This will set the password for any service that has a defined service account.


    \_(ツ)_/

    Thursday, March 31, 2016 4:12 PM