Rotating Local Passwords used by Services

Any services that run in a Windows environment has an associated Log On account that is used to start this service. When the password for this account is rotated, you need to ensure that the password is also updated in the service configuration or else it will no longer be able to start. This also applies to any task scheduled in Windows Task Scheduler that includes a saved password.

 

Services-Logon-Failure

Windows Service Failed to Start – Incorrect Log On Password

 

XTAM supports the password rotation for Windows Local and Domain accounts and it also can check for and update passwords associated with any Services Log On account or Windows Task Scheduler tasks as well. If you want to rotate password for accounts associated to services or tasks, then please continue reading.

 

Before we show the procedure, let’s first set the stage. In my environment, I have created three custom services, all set to run Automatically, with two configured with a Log On account xtamservice and one using the traditional Local System. This walk through will describe the scenario where you want to rotate the password on the xtamservice account and subsequently update the Service’s Log On account with the newly rotated password. At the end, the password will rotate on the xtamservice account, its Service dependencies will be found by XTAM, Log On account password will be updated with the new password and the service will remain Running (it can also be restarted without error).

 

Services-Before

 

  1. Create a new XTAM record using the Windows Host or any custom type you have that inherits from Windows Host
  2. Enter a Name, Description (optionally), Host and Port for the Windows host that has this Service running.
  3. In the User and Password fields, enter the User and Password that you wish to rotate which has Service dependencies. In our example, this is the account xtamservice and its corresponding password.
  4. Services-Record-Credentials

    If you do not know the account’s password, please review our FAQ article for the Set Windows Password task.

  5. Click the Save and Return button.

  6. Open the record’s Task menu by selecting Manage > Tasks.

  7. Add the Task Password Reset Remote Windows with Service Dependencies to this record by using one of these two procedures:

    1. Add the Task directly to the record’s Record Type and allow inheritance to apply it to this record. This is the recommended approach.

    2. Make this record’s Task unique by clicking the Make Unique button and adding the task directly to this record.

  8. Once the task is applied, configure the task’s Policy to include the On Demand execution. In this example, we are going to manually execute the reset, however you can configure any additional policies including automated reset as you need.

  9. In our scenario, our Service account xtamservice is not an account that has any Administrative nor remote execution permissions on this host, so we will need to configure a Shadow Account that does have these permissions to execute this task. If your service account also have Administrative rights then you can skip this step.

    Services-Task-Configured

  10. Click the Save button.

  11. Return to the record, active the Execute dropdown and select our Password Reset Remote Windows with Service Dependencies task.Services-Execute-Task-Option

  12. On the next page, accept the current or generate a new password and then click the Schedule Job button to begin.Services-Schedule-Job-Option

  13. When the task executes, open the Job History tab and check the state. When the State is Complete, open the Details to ensure the Services that used this account as its Log On were updated.

    Services-Job-Details

  14. Optionally, connect to this host and manually restart one of the services to verify that is completes successfully.

Now that we have successfully configured, executed and tested that the password was reset and the service is still functionally, you may return to the Task and update the policy so that this process can be automated.