SharePoint (2003 thru Online): Recover Lost Service Account Passwords from SHAREPOINT 2010

Friday, May 22, 2015

Recover Lost Service Account Passwords from SHAREPOINT 2010

( We can only recover passwords for Service accounts used to run App Pools )

Somehow we missed to get few Service Accounts passwords while knowledge transfer, when the previous SharePoint Administrator was leaving the company and the guy who created the Service Account forgot to update the Password Vault.

For MOSS 2007, we have tool called SharePoint Documentation Generator where we can retrieve the Identity & Passwords from the Application Pools. As some internal mechanism got changed for new versions, we cannot use this Tool in SP 2010 and 2013.

Luckily, we found a couple of App Pools running with this Service Account.



Ran Windows PowerShell as Administrator and entered the below command, pressed Enter.

cmd.exe /c $env:windir\system32\inetsrv\appcmd.exe list apppool "<Name of the App Pool>" /text:ProcessModel.Password

As shown below.



(^‿^) ... got the password. 

Tried for other service accounts also.

This time updated the Passwords in the Password Vault :)

__________________________________________________________

Finding used accounts on SharePoint 201 Farm.


Service Application Pool accounts
Using the cmdlet
Get-SPServiceApplicationPool
gives you both service application pool name and process account name.
-------------------------------------------
Service Application accounts
To find out what service application pools are used for a given service application use this command:
Get-SPServiceApplication | select -expand applicationpool -EA 0
Note that the -EA = 0 (-ErrorAction SilentlyContinue) will swallow any exceptions due to the fact that not all service applications are web based (inherits from SPIisWebServiceApplication).
-----------------------------------------
Service Instance accounts
The command to get these gets a bit long winded to account for that some are managed and some not:
Get-SPServiceInstance | select -expand service | % { if ( $_.ProcessIdentity -and $_.ProcessIdentity.GetType() -eq "String") { $_.ProcessIdentity } elseif ( $_.ProcessIdentity ) { $_.ProcessIdentity.UserName }}
-----------------------------------------
Services
Using Get-Process does not contain information about what accounts the services are running under. Getting this information would require us to dig a bit deeper.
Fire up PowerShell and type in the following:
Get-WmiObject -Query "select * from win32_service where name LIKE 'SP%v4'" | select name, startname


Other processes ends with "14":
Get-WmiObject -Query "select * from win32_service where name LIKE '%14'" | select name, startname
-----------------------------------------
Object cache accounts
These accounts are used for accessing cached data. Not setting them causes a performance overhead as explained here.
The values are stored in the Web Application properties and can be fetched like this:
Get-SPWebApplication| % {$_.Properties["portalsuperuseraccount"]} 
Get-SPWebApplication| % {$_.Properties["portalsuperreaderaccount"]}

----------------------------------------
Search crawler account 
Setting this account can be done using Set-SPEnterpriseSearchServiceApplication -DefaultContentAccessAccountName, but querying it is a bit tricky:
New-Object Microsoft.Office.Server.Search.Administration.content $(Get-SPEnterpriseSearchServiceApplication) | Select DefaultGatheringAccount

No comments:

Post a Comment