In my last post I’ve guided you throu the process of creating the Active Directory accounts that will be used as SharePoint managed accounts. Now I’m going to get them in place and let SharePoint 2013 handle the passwords.

How does SharePoint 2013 handle the password change?

You can configure SharePoint to alter the password of the required service accounts. This can be done in the Central Administration of your farm. Once the account is configured to do automatic password changes, it will do so on the defined schedule. It will even react to expiration of passwords. In most environments administrators set a policy that forces a password changes after some defined time. So this will help to maintain the security and stability of your SharePoint farm. Even when no expiration policy is set, the passwords can be changed on a regular basis.

Whenever a password change is required one server in the farm will start the process by notifying all other server of a imminent password change. When all servers are ready for the password change, the server that started the password change will fetch the password complexity settings of your domain. When the server knows the password policy it will generate a password using a long, cryptographically-strong random string.

When SharePoint 2013 fails to commit the password it will retry, when it fails again it will send an notification email to the administrator.

Creating the Script

Creating managed accounts using the SharePoint 2013 GUI is is a quite time-consuming process. That the reason why we automate it. When you add this script to your tool belt you can save a some time everytime you need to install a new SharePoint 2013 deployment. We’re going to reuse the input file from the last post. That input file has all managed accounts you will need for a SharePoint 2013 Enterprise deployment (let us know if we missed one :-)).

The script we created will set the password change to run every Sunday at “high noon”. Feel free to adjust that for your deployment, but keep in mind that the password change can cause outages of services in the farm.

When you adjust the schedule make sure it is in one of the following formats (Please leave a comment when one of the formats isn’t working for you or if we missed a format):

• every 5 minutes between 0 and 59
• hourly between 0 and 59
• daily at 15:00:00
• weekly between Fri 22:00:00 and Sun 06:00:00
• weekly at Sun 12:00
• monthly at 15 15:00:00
• yearly at Jan 1 15:00:00

Make sure you adjust the parameters in the script to match your environment.

• [$netBiosDomain] – The Net Bios Domain name
• [$schedule] – The schedule for the password change
• [$initalPass] – The initial password used while creating the accounts

Execute the script and (in case everything worked out fine) you are ready to set up and configure your SharePoint environment.

Reference

New-SPManagedAccount
Set-SPManagedAccount

Bye Rene

This post is also available in: German