Recently had a customer ask me about how to do this so wrote this little article and thought I would share it with you.
There will be two times when you want to reset passwords in MOSS.
In either case the steps are the same, this fantastic article KB934838 covers the steps in detail and even has a script that you can take and setup for your environment, so there is no reason for me to go over it except to say read the article.
The commands that are primary to this are:
Stsadm -o updatefarmcredentials
Stsadm -o updateaccountpassword
Stsadm -o spsearch
Stsadm -o editssp
Stsadm -o osearch
And in farms that are least privilege you have some extra steps that you need to follow to insure that this would work.
We grew the functionality in this area by several steps. We have introduced Managed Accounts, this means that we store both username and password in the configuration database for the service accounts. This also insures that we keep the objects in IIS and OS up to date thru syncing.
Then using this idea of a Managed Account we have setup several different methods to change the passwords and have that update the App Pools, etc. By going to /_admin/EditAccount.aspx we see we have the following
This allows you to either change the password thru SharePoint to something new this can be a random password or something you choose, or to use an existing password.
This section is good to use if your password has already expired or is about to expire.
Automatic Password Change
This allows you to stop worrying about password changes altogether, and allow SharePoint to manage them for you. I highly recommend that you test this and make sure it will work for you. Here are some gotchas that I have noticed
There is of course PowerShell commands that can help you to automate these steps or if you have an issue get you out of a bind.
Set-SPManagedAccount - This PowerShell command will be the one you use the most, using this cmdlet and different switches you can cover all the situations above. Here some examples
We want to change the password with something new use
Set-SPManagedAccount -identity Domain\User -NewPassword (Converto-Securestring "P@ssword" -AsPlainText -Force) -SetNewPassword
We need to use existing password
Set-SPManagedAccount -identity Domain\User -ExistingPassword (Convertto-Securestring "P@ssword" -AsPlainText -Force
Set SharePoint to manage password
Set-SPManagedAccount -identity Domain\User -AutogeneratePassword -EmailNotification 14 -PreExpireDays 7 -Schedule "Monthly between <dayofmonth> <Timeofdayinhh:mm:ss> and <dayofmonth> <Timeofdayinhh:mm:ss>"
Repair-SPManagedAccountDeployment - This PowerShell command is used when you have setup the automatic password change and it's worked on Server A but not Server B, by running the command locally on Server B it will re-synch all of the App Pools on that server.
Configure automatic password change (SharePoint Server 2010)
Plan automatic password change (SharePoint Foundation 2010)