Continuing with our coverage of managing services with PowerShell, let’s look at some common tasks with the service account. I introduced the method for changing a service via WMI in Part 6. Let’s look at it again, specifically thinking about the service account.

Using WMI ^

To change the service account password, we first need a reference to the service object. And I’m assuming this is a service with user-type account. I’m going to use this service for my demonstration.

PS C:\> get-wmiobject win32_service -filter "name='yammmsvc'" | Select name,startname

name                                              startname
----                                              ---------
YammmSvc                                          .\Jeff

If you recall from Part 6 I can use the Change() method to modify the service account password. You’ll also recall that when using Invoke-WmiMethod, which I recommend, the method parameters don’t follow the documented order you’ll see in MSDN.

PS C:\> $svc = get-wmiobject win32_service -filter "name='yammmsvc'"
PS C:\> $svc.GetMethodParameters("change")

__GENUS                    : 2
__CLASS                    : __PARAMETERS
__SUPERCLASS               :
__DYNASTY                  : __PARAMETERS
__RELPATH                  :
__PROPERTY_COUNT           : 11
__DERIVATION               : {}
__SERVER                   :
__NAMESPACE                :
__PATH                     :
DesktopInteract            :
DisplayName                :
ErrorControl               :
LoadOrderGroup             :
LoadOrderGroupDependencies :
PathName                   :
ServiceDependencies        :
ServiceType                :
StartMode                  :
StartName                  :
StartPassword              :
PSComputerName             :

The password is the 11th parameter. Unfortunately, this means I’ll need to insert null values for all the parameters that come before that I am NOT changing.

PS C:\> $svc | Invoke-WmiMethod -Name Change -ArgumentList
@($null,$null,$null,$null,$null,$null,$null,$null,$null,$null,"P@ssw0rd")

__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     :
__DYNASTY        : __PARAMETERS
__RELPATH        :
__PROPERTY_COUNT : 1
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
ReturnValue      : 0
PSComputerName   :

A return value of 0 indicates success. But remember that the change won’t take effect until you restart the service. You already know how to do that in PowerShell, right? If not, go back through the earlier articles in this series.

If you want to change the account name all you need to do is specify it in the previous parameter.

PS C:\> $svc | Invoke-WmiMethod -Name Change -ArgumentList @($null,$null,$null,$null,$null,$null,$null,$null,$null,"LocalSystem","P@ssw0rd")

You will still need to set an initial password for system accounts.

Using CIM ^

I love using the new CIM cmdlets in PowerShell 3.0 for tasks like this because they are even easier to use. I’ll change the service account and password for the service again.

PS C:\> Get-CimInstance win32_service -filter "name='yammmsvc'" | Invoke-CimMethod -Name Change -Arguments @{StartName=".\Jeff";StartPassword="P@ssw0rd"}

Again, you’ll get a return code, hopefully of 0. Enter the startname in the format MACHINE\USERNAME or DOMAIN\USERNAME. In this case, Jeff is a local account. If you only want to change the password, all you need to do is adjust the argument hashtable. I don’t think it could get any easier.

I should also point out that you can execute the query and change with just Invoke-CimMethod. You don’t have to pipe an object to it.

PS C:\> Invoke-CimMethod -Name Change -Arguments {StartName=".\Jeff";StartPassword="P@ssw0rd"} -Query "Select * from Win32_Service where name='yammmsvc'" –Computername JeffPC

Even though I ran this locally, I went ahead and indicated how you could also connect to remote computers. If I had to make the same change for a service running on multiple computers it would be pretty easy.

PS C:\> Invoke-CimMethod -Name Change -Arguments @{StartPassword="P@ssw0rd"} -Query "Select * from Win32_service where name='MyCustomService'" –computername $computers | out-file c:\work\results.txt

In this command I’m resetting the password for the MyCustomService service running on all of the computers in the $computers variable. Results are saved to a text file which will show the result code and computername. Of course, the services still need to be restarted for the change to take affect.

Summary ^

If you need to manage a service account, you’ll need to use WMI. Either through the WMI cmdlets or the new CIM cmdlets. Frankly, the latter are much easier to use. While I’ve shown you interactive commands, if this is a task you need to do frequently it would be worth your time to wrap this functionality into a PowerShell advanced function. With a function you can add things like logging, error handling, support for WhatIf, processing multiple computers and more.

Subscribe to 4sysops newsletter!

The next post this series will cover PowerShell Eventing.

2 Comments
  1. Rishi 7 years ago

    How do I use "securestring" in the CIM-Method. I am trying to do something like this ...
    $newPassword = Read-Host -Prompt "Provide New Password for _SA1" -AsSecureString
    Set-ADAccountPassword -Identity _SA1 -NewPassword $newPassword -Reset
    $service = 'MSSQL$SQLEXPRESS'
    Get-CimInstance win32_service -filter "name='$service'" | Invoke-CimMethod -Name Change -Arguments @{StartName="_SA1@abc.local";StartPassword="$newPassword"}

    While I get return code 0 but when I try to start the service ,it fails with logon failure...
    Notice the StartPassword="$newPassword" in the last line.
    If I change it to StartPassword="P@ssw0rd"} ... here P@ssw0rd is the actual password ,all is green ... Why cant CIM pick up variables and use it ?

  2. Author

    The problem is that the WMI service class doesn't know what a secure string is. It is expecting a plain text password. You might have to prompt for a plain text password, which you can use with Invoke-CIMMethod and then convert it to a secure string to use with Set-ADAccountpassword.

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account