How to: Get your Managed Account passwords when they are changed automatically by SharePoint 2010
Scenario:
Using Managed Accounts the way that SharePoint 2010 is designed you allow SharePoint 2010 to manage your password changes automatically for you. Your farm gets into an inconsistent state, or you allow SharePoint 2010 to change your farm admin account and you realize that you cannot start the UPS without knowing the farm account password. What do you do?
Resolution:
Run the following PowerShell command from the SharePoint 2010 Management Shell as a Farm Administrator:
function Bindings()
{
return [System.Reflection.BindingFlags]::CreateInstance -bor
[System.Reflection.BindingFlags]::GetField -bor
[System.Reflection.BindingFlags]::Instance -bor
[System.Reflection.BindingFlags]::NonPublic
}
function GetFieldValue([object]$o, [string]$fieldName)
{
$bindings = Bindings
return $o.GetType().GetField($fieldName, $bindings).GetValue($o);
}
function ConvertTo-UnsecureString([System.Security.SecureString]$string)
{
$intptr = [System.IntPtr]::Zero
$unmanagedString = [System.Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode($string)
$unsecureString = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($unmanagedString)
[System.Runtime.InteropServices.Marshal]::ZeroFreeGlobalAllocUnicode($unmanagedString)
return $unsecureString
}
Get-SPManagedAccount | select UserName, @{Name="Password"; Expression={ConvertTo-UnsecureString (GetFieldValue $_ "m_Password").SecureStringValue}}
The output will look similar to:
Special Thanks:
Huge thanks to Microsoft for unveiling this nugget to us during a recent call to SharePoint CritSit support. Derek Martin, of Slalom Consulting, and my jaws collectively hit the floor when they showed us this one and we knew we couldn’t keep it to ourselves.
Update: Thanks to Todd Klindt for pointing out that the Live Writer Add-in that I have been using makes the code easily readable, but horrible to copy. Download the .ps1 file from here or the text file version from here rather than trying to copy from above and save yourself some time.
6 thoughts on “How to: Get your Managed Account passwords when they are changed automatically by SharePoint 2010”
This script works great. However, when I log in using a farm account that is not a managed account and run the script , it returns the list of the managed accouns but the passwords all come back blank. Any idea why?
I am running this>> Get-SPManagedAccount | select UserName, @{Name=”Password”; Expression={ConvertTo-UnsecureString (GetFieldValue $_ “m_Password”).SecureStringValue}}
Thanks in advance.
Check to make sure that the account you are attempting to run the script as has Farm Admin rights, not just log in rights to the box. This is a security feature, keeping the passwords secure from anyone but a Farm Admin.
Great script works flawlessly. This got me out of a jam today. this will be one of those scripts that I hold on to.
Thanks again
Hmmm, seems like all the more reason to remove the BUILTIN\Administrators group from the Farm Admins group. Otherwise, all someone needs to do is get themselves access as an admin on the box (plenty of ways to do that) and then they can run this to get all the managed accounts and their passwords. The sky’s the limit after that! (Eek!)
What a relief. Thank you MVPs for sharing. As a former softy at MSFT and dealing with the SharePoint cloud, I commend you!
p.s. Hook ‘Em
Comments are closed.