PSDscResources icon indicating copy to clipboard operation
PSDscResources copied to clipboard
verified publisher icon PowerShell

Service: Can the DSC User Resource change existing user account passwords?

Open Rmpanga opened this issue 8 years ago • 7 comments

Situation Lets say I updated a partial to have user account X use and new password Y. This user and password already exists on the target node, And there existing services running with user X's credentials. Can DSC update the password of user X when I push the mof ?

Issues When I tried to do this, I have gotten password incorrect errors when i execute Start-DSCConfiguration and the services using the changed user account stop running.

System Information OS Name: Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600

Rmpanga avatar Sep 20 '17 20:09 Rmpanga

Sorry that you haven't gotten an answer for so long. With the current implementation of the resource Service it will not update the password unless the username changes. As long as the username is the same the Service resource is in desired state. So currently it is not possible to change the password of a user account and at the same time update the account that the service is run under.

johlju avatar Apr 30 '18 12:04 johlju

I also just tried this and the password was definitely changed even though the user name stayed the same.

pluggy avatar Aug 05 '19 08:08 pluggy

Did you call Set-TargetResource directly? Becuase the only thing I see in the Test-TargetResource is this, and it does not return $false unless the username changes. 🤔

https://github.com/PowerShell/PSDscResources/blob/fa1494c98cd62bc4f8514d4cccc4803c5da60569/DscResources/MSFT_ServiceResource/MSFT_ServiceResource.psm1#L558-L567

But calling Set-TargetResource directly will run this which set the password.

https://github.com/PowerShell/PSDscResources/blob/fa1494c98cd62bc4f8514d4cccc4803c5da60569/DscResources/MSFT_ServiceResource/MSFT_ServiceResource.psm1#L310-L314

johlju avatar Aug 05 '19 09:08 johlju

All I did was to add the following to my configuration:

User Setup_Admin_Account{ UserName=$ConfigurationData.NonNodeData.AdminLogin PasswordNeverExpires = $true Ensure = 'Present'
Password = $FinalAdminCredentials }

where the $FinalAdminCredentials variable contains an System.Management.Automation.PSCredential object.

pluggy avatar Aug 05 '19 10:08 pluggy

It's not problem for me, btw. In fact I am using this to reset the admin password on my servers. I just found this thread by coincidence and wanted to report my finding.

pluggy avatar Aug 05 '19 10:08 pluggy

Ah, but will that password change also work for a service that is running as that user? The password does not need to be updated on the service as well? 🤔

Thank you for commenting on the issue, appreciate it! 🙂

johlju avatar Aug 05 '19 10:08 johlju

It definitely changes the password, at least it worked on my Windows Server 2016 servers. The only caveat is that it will throw some errors if changing the credentials of the user account that is used for the CIMSession that I published / started the configuration with. But the password change still works despite of all error messages. I am using it at the very end of some lengthy configurations for bootstrapping new servers, so I don't mind the error at the end.

pluggy avatar Aug 05 '19 16:08 pluggy