Team Foundation Server Service Account Password Changer Utility

  • Article

Many of us on the Team Foundation Server customer support team at Microsoft maintain multiple TFS configurations for testing. One issue I have run up against is changing TFS service account password when my domain account passwords expire. It gets time consuming when you need to update service account and reporting account passwords on 5 or 10 TFS servers.

Consequently, I wrote a batch file to handle this, which is basically a wrapper for TFSAdminUtil. It is designed to be run by accessing the CMD file at a common UNC share from each application tier server (AT). The batch file handles finding the TFS installation folder, the TFS version, TFSAdminUtil, and the TFS service account, and prompts for a new service account password. On TFS 2008, it also prompts for a password for the reporting account, and in TFS 2005 it displays the Report Manager page in Internet Explorer.

There are 2 included VBScript files, which need to be in the same folder as the CMD file. GetAppPoolAccount.vbs finds the account the TFS AppPool runs under, and GetPW.vbs displays the password prompt dialog which is an InputBox. In these VBScript files, I used Lee Harvey's mechanism for more reliably obtaining return values from my VBScript code. See <my.opera.com/Lee_Harvey/blog/2007/06/03/returning-an-errorlevel-from-wsh-vbscripts> on his blog which was my source for this.

The batch file must be run on the AT itself, but you don't need to know the TFS installation folder, service account, or to make a local copy of the batch file and vbs files.

Note that this utility makes changes to your TFS configuration, which could result in disabling your TFS installation. Please evaluate whether it fits your needs before running this on production TFS installations.

Here are basic instructions:

  1. Download and extract the contents of the attached zip file. 
  2. On the AT, log in as a member of the local admin group. It is best to use the "TFS Setup Account".
  3. Run ChangeTFSPasswords.cmd from a shortcut or from Windows Explorer. It is OK to run from a UNC share. On Server 2008, you must rightclick and select "Run as administrator". Do not run it from a command prompt window, as this breaks the mechanism I use to detect the path where the CMD and VBS files reside.
  4. It should detect then display the service account. When it asks whether you want to change the password, type y then enter.
  5. When prompted, type the password, then click OK. (I'm sorry the password is not replaced with * characters, this is a standard InputBox() function call)
  6. It will run the appropriate TFSAdminUtil ChangePassword command to change the password.
  7. For Reporting Account passwords:
    • On TFS 2005, the Reporting Services Management page is displayed in IE, so you can change the report account passwords.
    • On TFS 2008, it will detect, and change, the report account password, with steps similar to steps 4 through 6 above. For reporting accounts it uses TFSAdminUtil Status to detect the reporting account, and the new-to-TFS 2008 command TFSAdminUtil ChangeAccount /ra to make the change.
  8. At completion on TFS 2008, it will display the TFSAdminUtil ConfigureConnections output for reference.

Notes:

  1. If you are running TFS 2008 and using a built-in account such as Network Service as the service account, it will not allow you to change the password. You will still be prompted to change the report account password subsequently.
  2. I recommend making a shortcut to a single copy of the cmd file from each AT, then you can run it on each when you need to. Being able to update the associated utility files in a single spot was important for me.
  3. These depend on a working version of TFS, so you may get a failure if you don't have permissions, the DT cannot be contacted, etc.
  4. The CMD and the 2 VBS files are required. If you play around with editing the files, keep in mind that the code depends on the CMD file and the 2 VBS files having the names I have given them, so don't rename them.
  5. It doesn't hurt anything if you change the password to the same password, if you just want to test.
  6. This is a batch file, so it has some limitations inherent to batch files. Certain password characters, like spaces, &, or ! characters, may make the batch file fail.

Enjoy!

TFSPasswordChanger.zip