Change SharePoint Farm account
Use this powershell script if you would like to replace an existing managed account credential
Introduction
Use this powershell script if you would like to replace an existing managed account credential with new managed account. That applies also to the farm admin user. The PowerShell script will scan the following items and replace user account accordingly:
• 1- SharePoint Services
• 2- SharePoint Service Applications App Pools
• 3- SharePoint Web application App Pools
and there is an extra function added "UpdateFarmCredentials" to update the farm credentials if the need be.
I would recommend resetting the IIS after running this script.
How to use the script
You need to run this script in an elevated command prompt screen from one of the SharePoint servers of the targeted farm running with the farm admin account.
At the end of the file make sure you replace the following variables with your desired values:
• 1- $OldUser (The old managed account you want to replace)
• 2- $NewUser (The new managed account you want to register and use)
• 3- $NewUserPassword (The new managed account password)
Please note
• The script might throw some warnings when you try to use a local account in a farm deployment. You can ignore these warning however, you should know that it’s not recommended to use local accounts. You might also see some errors regarding deploying some of the changes to some of the Service applications. You can ignore these errors as well.
• The script will register the new managed account for you if it’s not registered yet and will prompt you for the password to be stored in SharePoint.
• This script is written and test on SharePoint 2010 version only.
• Some users reported that the UPA stopped working after replacing the credentials.
Run this script at your own risk
function UpdateFarmCredentials($userName,$Password)
{
#Prepare Stsadm to be used through powershell
Set-Alias -Name stsadm -Value $env:CommonProgramFiles"\Microsoft Shared\Web Server Extensions\14\BIN\STSADM.EXE"
$Command = "stsadm -o updatefarmcredentials -userlogin '$userName' -password '$Password'"
trap{"Error updating farm credentials"}
Invoke-Expression $Command
}
function Ensure-SPAccount($userName)
{
#Add SharePoint Snap-in
if((Get-PSSnapin -Name Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue) -eq $null)
{
Add-PSSnapin Microsoft.SharePoint.PowerShell;
Write-Host "SharePoint PowerShell Snap-In added";
}
if(Get-SPManagedAccount | Where-Object { $_.UserName -eq $userName }){
# Managed Account Already exists
Write-Host “Managed Account: $userName exists”
} else {
# Get User Credentials
$credential = Get-Credential -Credential $userName
# Create New Managed Account
New-SPManagedAccount -Credential $credential
}
}
function Get-SPServiceIdentity()
{
#Add SharePoint Snap-in
if((Get-PSSnapin -Name Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue) -eq $null)
{
Add-PSSnapin Microsoft.SharePoint.PowerShell;
Write-Host "SharePoint PowerShell Snap-In added";
}
foreach ($ser in Get-SPServiceInstance)
{
$T = $ser.GetType()
if($T.BaseType.Name -like "SPWindowsServiceInstance")
{
Write-Host "Service= " $ser.TypeName ", Identity=" $ser.Service.ProcessIdentity.UserName
}
}
}
function Replace-SPServiceIdentity($FromUser,$ToUser)
{
#Add SharePoint Snap-in
if((Get-PSSnapin -Name Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue) -eq $null)
{
Add-PSSnapin Microsoft.SharePoint.PowerShell;
Write-Host "SharePoint PowerShell Snap-In added";
}
$fromUserLower = "$FromUser"
$fromUserLower = $fromUserLower.ToLower().Trim()
#Make sure Service account is added
Ensure-SPAccount $ToUser
foreach ($ser in Get-SPServiceInstance)
{
$T = $ser.GetType()
if($T.BaseType.Name -like "SPWindowsServiceInstance" -and $ser.Service.ProcessIdentity.UserName -ne $null)
{
$UserName = $ser.Service.ProcessIdentity.UserName.ToLower()
if($UserName -Like $fromUserLower)
{
Write-Host "Updating Service= " $ser.TypeName
$ser.Service.ProcessIdentity.UserName = $ToUser
$ser.Service.ProcessIdentity.Update()
$ser.Service.ProcessIdentity.Deploy()
}
}
}
}
function ReplaceServiceAppsApplicationPoolIdentity($FromUser,$ToUser)
{
#Add SharePoint Snap-in
if((Get-PSSnapin -Name Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue) -eq $null)
{
Add-PSSnapin Microsoft.SharePoint.PowerShell;
Write-Host "SharePoint PowerShell Snap-In added";
}
$fromUserLower = "$FromUser"
$fromUserLower = $fromUserLower.ToLower().Trim()
#Make sure Service account is added
Ensure-SPAccount $ToUser
#Replace service apps application pool identities
foreach($appPool in Get-SPServiceApplicationPool)
{
if($appPool.ProcessAccountName.ToLower() -Like $fromUserLower)
{
Write-Host "Updating" $appPool.Name "..."
Set-SPServiceApplicationPool $appPool –Account $ToUser
}
}
}
function ReplaceWebAppsApplicationPoolIdentity($FromUser,$ToUser)
{
#Add SharePoint Snap-in
if((Get-PSSnapin -Name Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue) -eq $null)
{
Add-PSSnapin Microsoft.SharePoint.PowerShell;
Write-Host "SharePoint PowerShell Snap-In added";
}
$fromUserLower = "$FromUser"
$fromUserLower = $fromUserLower.ToLower().Trim()
#Make sure Service account is added
Ensure-SPAccount $ToUser
#Replace web apps application pool identities
foreach($WebApp in Get-SPWebApplication)
{
$appPool = $WebApp.ApplicationPool
if($appPool.ManagedAccount.UserName.ToLower() -Like $fromUserLower)
{
Write-Host "Updating '" $WebApp.Url "' web app applicaiton pool identity..."
$id = Get-SPManagedAccount $ToUser
$appPool.ManagedAccount = $id
$appPool.Update()
}
}
}
$OldUser= "rk\spmanagedac1"
$NewUser = "rk\spmanagedac1"
$NewUserPassword = "password01"
#UpdateFarmCredentials $OldUser $NewUserPassword
Replace-SPServiceIdentity $OldUser $NewUser
ReplaceServiceAppsApplicationPoolIdentity $OldUser $NewUser
ReplaceWebAppsApplicationPoolIdentity $OldUser $NewUser