Update all SharePoint 2010 service account passwords from one script

Nice to do this in one script, take note of additional steps after the script has run.

You must of course set the values between ### YOU NEED TO SET THESE and
### STOP SETTING NOW to those appropriate to your farm.

You will note that this script allows for a typical set of farm accounts
as required by a Least Privilege Service Accounts setup. You may add modify
or remove accounts as you require.

add-pssnapin microsoft.sharepoint.powershell -erroraction silentlycontinue
 
function Set-AdUserPwd
{
[CmdletBinding()]
Param(
    [string[]]$users,
    [string]$password
)
 
    write-host "Change AD passwords for system accounts"
 
    $users | % {
 
        $thisAccount = $_
 
        write-host "`tChange password for" $thisAccount
 
        $oUser = [adsi]"LDAP://$thisAccount" 
        $ouser.psbase.invoke("SetPassword",$password)
        $ouser.psbase.CommitChanges()
    }
 
    write-host "All done."
 
}
 
function ChangePasswordForManagedAccounts()
{
[CmdletBinding()]
param(
    [string] $newPassword,
    [string[]]$accounts,
    [bool] $UseExisting
)
 
    $newPw = ConvertTo-SecureString $newPassword -asPlainText -Force
 
    write-host "Change Managed account passwords"
 
    $accounts | % {
        $thisAccount = $_
 
        write-host "`tChange password for managed account" $thisAccount
 
        if($useExisting)
        {
            Set-SPManagedAccount    -identity $thisAccount `
                                    -ExistingPassword $newPw `
                                    -UseExistingPassword:$true `
                                    -Confirm:$false `
 
        }
        else
        {
            Set-SPManagedAccount    -identity $thisAccount `
                                    -Confirmpassword  $newPw `
                                    -Newpassword  $newPw `
                                    -Confirm:$false `
                                    -SetNewPassword:$true
        }
    }
 
    write-host "All done."
}
 
function DefaultContentAccessAccountPassword()
{
[CmdletBinding()]
param(
    [string] $searchAppName,
    [string] $account,
    [string] $password
)
    write-host "Change Default content access account password for" $account
 
    $searchapp = Get-SPEnterpriseSearchServiceApplication -Identity $searchAppName
    $c = New-Object Microsoft.Office.Server.Search.Administration.Content($searchapp)
 
    $c.SetDefaultGatheringAccount(
        $account,
        (ConvertTo-SecureString $password -AsPlainText -force))
}
 
#
# ### YOU NEED TO SET THESE
#
$systemAccounts = @(
                    "cn=sql-svc,ou=YOUR_OU,dc=YOUR_DOMAIN,dc=com",
                    "cn=SpUps,ou=YOUR_OU,dc=YOUR_DOMAIN,dc=com",
                    "cn=SPServices,ou=YOUR_OU,dc=YOUR_DOMAIN,dc=com",
                    "cn=SPSearch,ou=YOUR_OU,dc=YOUR_DOMAIN,dc=com",
                    "cn=SPObjCacheSuper,ou=YOUR_OU,dc=YOUR_DOMAIN,dc=com",
                    "cn=SPObjCacheRead,ou=YOUR_OU,dc=YOUR_DOMAIN,dc=com",
                    "cn=SPMySiteAppPool,ou=YOUR_OU,dc=YOUR_DOMAIN,dc=com",
                    "cn=SPFarm,ou=YOUR_OU,dc=YOUR_DOMAIN,dc=com",
                    "cn=SPContent,ou=YOUR_OU,dc=YOUR_DOMAIN,dc=com",
                    "cn=SPAppPool,ou=YOUR_OU,dc=YOUR_DOMAIN,dc=com",
)
 
$managedAccounts = @(
                    "YOUR_NETBIOS_DOMAIN\SPFarm",
                    "YOUR_NETBIOS_DOMAIN\SPServices",
                    "YOUR_NETBIOS_DOMAIN\SPAppPool",
                    "YOUR_NETBIOS_DOMAIN\SPMySiteAppPool",
                    "YOUR_NETBIOS_DOMAIN\SPSearch"
)
 
$searchAppName = "Search Service Application"
$farmAccount = "YOUR_NETBIOS_DOMAIN\SPFarm"
$defaultSearchContentAccount = "YOUR_NETBIOS_DOMAIN\SPContent"
 
$theNewPassword = "L3tM31n"   
 
#
# ### STOP SETTING NOW
#
 
clear-host
 
# Change system account passwords in AD
#
set-AdUserPwd -users $systemAccounts -password $theNewPassword
 
# Managed account passwords
#
ChangePasswordForManagedAccounts -newPassword $theNewPassword -accounts $managedAccounts -UseExisting $true
 
# Default content access account
#
DefaultContentAccessAccountPassword -SearchAppName $searchAppName -account $defaultSearchContentAccount -password $theNewPassword
 
# Farm account
#
#
write-host "Change farm account password" $farmAccount
 
stsadm -o updatefarmcredentials -userlogin $farmAccount -password $theNewPassword
 
# its all over now
#
write-host "Remember to edit SQL service startup account password in `"Services`""
write-host "Remember to Restart profile sync service on central admin in `"Services on a server`""
write-host "Check out if SharePoint tracing service is running as a system account in `"Services`" make it local system"
write-host "All done."

>Generating an AD hiararchy from powershell

>I had occasion to create an AD hiarachy via script and felt it would be a good place to start my powershell learning curve. What I produced, while not the most elegant code in the powershell world, none the less does what it says on the tin. You may find it usefull.

No warranty whatsoever of course 🙂 As ever Im happy to mail the code to interested people, just mail Me

Xml file describing the hiarachy to create . This xml file describes one OU, two USERS and two GROUPS. It creates the OU and then the GROUPS then the USERS then adds Groups to groups and users to groups.

<xml>
<!–
This section describes the Active directory domain and a few locations
–>
<ad>
<domain path=”LDAP://ou=SomeOuToStartIn,dc=domain,dc=com” />
</ad>

<!–
This section lists any OU’s to be created
–>
<ous>
<ou name=”testingou” ouadspath=”LDAP://ou=SomeOuToStartIn,dc=domain,dc=com” />
</ous>

<!–
This section describes users and groups to create
and the groups users and or groups should be added to
–>
<accounts>

<group name=”group1″ grouppath=”LDAP://ou=testingou,ou=SomeOuToStartIn,dc=domain,dc=com” />
<group name=”group2″ grouppath=”LDAP://ou=testingou,ou=SomeOuToStartIn,dc=domain,dc=com” />

<user name=”testinguser1″ password=”p@55w0rd0″ userpath=”LDAP://ou=testingou,ou=SomeOuToStartIn,dc=domain,dc=com” />
<user name=”testinguser2″ password=”p@55w0rd1″ userpath=”LDAP://ou=testingou,ou=SomeOuToStartIn,dc=domain,dc=com” />

<membership location=”LDAP://cn=group2,ou=testingou,ou=SomeOuToStartIn,dc=domain,dc=com”>
<memberof>
<group location=”LDAP://cn=group1,ou=testingou,ou=SomeOuToStartIn,dc=domain,dc=com” />
</memberof>
</membership>

<membership location=”LDAP://cn=testinguser1,ou=testingou,ou=SomeOuToStartIn,dc=domain,dc=com” >
<memberof>
<group location=”LDAP://cn=group2,ou=testingou,ou=SomeOuToStartIn,dc=domain,dc=com” />
</memberof>
</membership>

<membership location=”LDAP://cn=testinguser2,ou=testingou,ou=SomeOuToStartIn,dc=domain,dc=com”>
<memberof>
<group location=”LDAP://cn=group1,ou=testingou,ou=SomeOuToStartIn,dc=domain,dc=com” />
<group location=”LDAP://cn=group2,ou=testingou,ou=SomeOuToStartIn,dc=domain,dc=com” />
</memberof>
</membership>

</accounts>
</xml>

Powershell script to create the hiarachy


## script to create ad OU’s, Groups and users
# and to add those users to predefined groups
#
#
Param ( $Filename = “accounts.xml”)

function reportStatus([string] $status)
{ Write-Debug -message $status}

function createOu{
param([string]$ouname, [string]$ouadspath)
Write-Debug -message $ouname
Write-Debug -message $ouadspath
$objDomain = [ADSI]$ouadspath
$objOU = $objDomain.Create(“organizationalUnit”, “ou=” + $ouname)
$objOU.SetInfo()
}

function createGroup{
param([string]$acname, [string]$GroupPath)
Write-Debug -message $acname;
Write-Debug -message $GroupPath;
$objOU = [ADSI]$GroupPath
$objGroup = $objOU.Create(“group”, “cn=” + $acname)
$objGroup.Put(“sAMAccountName”, $acname)
$objGroup.SetInfo()
}

function createUser{
param([string]$acname, [string]$UserPath, [string] $password)
Write-Debug -message $acname;
Write-Debug -message $UserPath;
$ADs_UF_NORMAL_ACCOUNT = 512
$objOU = [ADSI]$UserPath
$objUser = $objOU.Create(“user”, “cn=” + $acname)
$objUser.Put(“sAMAccountName”, $acname)
$objUser.SetInfo()
$objUser.SetPassword($password)
$objUser.SetInfo()
$objUser.userAccountControl = $ADs_UF_NORMAL_ACCOUNT
$objUser.SetInfo()
}

function addAccountToGroup([string] $aclocation, [string] $glocation){
Write-Debug -Message “$aclocation $glocation”
$group = [ADSI]$glocation
$account = [ADSI]$aclocation
$group.Add($account.psbase.Path)
$group.SetInfo()
}

# main code entry point
#
# read the xml file containing account information
#
$xml = new-object System.Xml.XmlDocument
$xml.Load($Filename)
# the AD node has the LDAP path we will connect to
#
$AdNode = $xml.SelectSingleNode(“xml/ad/domain”)
if($AdNode -eq $null) { return }

$AdPath = $AdNode.GetAttribute(“path”)
reportStatus (“Connecting to : ” + $AdPath)
# Create any required OU’s
#
$OuNode = $AdNode = $xml.SelectSingleNode(“xml/ous”)
if($OuNode -eq $null) { return }

reportStatus(“Create OU’s”)
foreach($ou in $OuNode.SelectNodes(“ou”)){
$ouname = $Ou.GetAttribute(“name”)
$ouadspath = $Ou.GetAttribute(“ouadspath”)
createOu $ouname $ouadspath
}

# Account creation
#
$AcNode = $AdNode = $xml.SelectSingleNode(“xml/accounts”)
if($AcNode -eq $null) { return }

# Process groups
#
reportStatus(“Create Accounts: Groups”)
foreach($ac in $AcNode.SelectNodes(“group”)){
$acname = $ac.GetAttribute(“name”)
$GroupPath = $ac.GetAttribute(“grouppath”)
createGroup $acname $GroupPath
}

# Process Users
#
reportStatus(“Create Accounts: User”)
foreach($ac in $AcNode.SelectNodes(“user”)){
$acname = $ac.GetAttribute(“name”)
$UserPath = $ac.GetAttribute(“userpath”)
$Password = $ac.GetAttribute(“password”)
createUser $acname $UserPath $password
}

# Process memberships
#
reportStatus(“Create Memberships”)
$membnode = $xml.SelectNodes(“xml/accounts/membership”)
if($membnode -eq $null) { return }

foreach($ac in $membnode){
$aclocation = $ac.GetAttribute(“location”)
$gpsnode = $ac.SelectSingleNode(“memberof”)

foreach($grp in $gpsnode.SelectNodes(“group”)) {
$glocation = $grp.GetAttribute(“location”)
addAccountToGroup $aclocation $glocation
}
}