How to Recover Passwords for SharePoint Managed Accounts

This post talks about how to recover passwords for managed SharePoint accounts. This can also serve as a lesson for anybody who owns a SharePoint sever: Be careful of who you let sit at your console. It's also a great testament as to why automatic password changes are a great new feature. The process itself isn't intuitive, and you may have to use a mix of technologies, but everything included in this blog post is documented well enough collectively on the internet that somebody looking for it will find it.



I've had this question a few times from customers: "I forgot the password for 'insert service that supports managed accounts here'; I need to recover the password. Is there any way I can retrieve the password?" Initially my answer used to be no, and then it turned into it depends, and now for sure, it's a definite yes.


The approach I'm taking is actually very simple, and it's basically only a few steps.

  • Create a new application pool using the managed account for which you wish to retrieve the password
  • Use Appcmd to retrieve the password for the application pool you just created.



As I said, there are only a few steps involved in order to retrieve a password for a managed account. The first thing we need to do is create an application pool using the managed account. In order to do that, we need to retrieve specific managed account and assign it to a variable using the Get-SPManagedAccount cmdlet. In the screenshot below I'm retrieving a managed account and assigning it to the '$ManagedAccount' variable.

Now that we have our managed account, we're ready to create an application pool. Here we make a decision. We either create a new service application, or a new web application. I simply create a new web application, one that's not addressable in order to prevent people from actually trying to use it. The reason I do this is because it leaves less of a footprint on the server. I tried simply creating a new SPServiceApplicationPool, but this does not present itself as an application pool until the actual service application is deployed onto your server. In order to do this we can use the New-SPWebApplication PowerShell cmdlet. We can see the Web Application and Application Pool have both been created in the screenshot below:


We can also retrieve the Application pool using PowerShell as well by using $WebApp.ApplicationPool, as shown in the screenshot below:


Now that we have a web application created, and an application pool, we'll have to switch over to appcmd.exe to retrieve the password for the application pool. The line that we'll be using to retrieve the password (from PowerShell) is pretty simple, and looks something like this: cmd.exe /c C:\windows\system32\inetsrv\appcmd.exe list apppool "Name of Application Pool" /text:ProcessModel.Password

This will produce and output as displayed in the screenshot below:


You can download the Password Retrieval Script from this location: Download RetrievePassword.ps1 (zipped)


To use this script you must be logged in with an account which is a local administrator and a farm administrator. Simply edit the script variable to indicate your managed account, and run the PowerShell script.



As always, if you have any questions or feedback, let me know. If you have any ideas to optimize the script, I'd like to hear that too. Thanks for reading!

You can also follow me on Twitter:


Comments (10)

  1. Hi Roger,

    This looks really good.  Quick question for you though.  You mention the server footprint as to why a web application is set-up but is the applications removal catered for within the script?



  2. Hi Steven,

    Yes, the web aplication is removed, and there is some cleanup for some risidual artifiacts that I'm also cleaning up as part of the removal process.  Effectively, the server should be left in the same condition as it was before you ran the script, based on my testing.  If you do run the script and find anything out of place, let me know and I'll make sure to address it.

  3. Hi Roger,

    Just to follow up on this.  The temp web application default to port 80, which generated an error when I used it.  Would it be safe to change this within the script itself to ensure it's success?



  4. Hey Steven,

    You can definitely change the port.  Optionally, you could also include the -hostheader parameter as well.  I'll keep that in mind and update the script within the next few weeks.


  5. Hi Roger,

    Got it working.  Great work and thanks again.

  6. Ivan says:

    My solution is a little more elegant and doesn't require Farm Administrator rights:…/Recover-SharePoint-Farm-3ddb6577

  7. Andreas says:

    This is awesome. Thanks, helps me a lot!

  8. Al Lacroix says:

    Thank you very much, you saved my day!

    This trick is super cool.

  9. Mike Donnellan says:

    Many thanks Roger.  You have made my day as well.  Excellent insight, excellent script.

  10. Peter Holpar says:

    There is a way to query the password of the managed account directly via Reflection and Marshaling as described in this post:…/recovering-passwords-for-sharepoint-managed-accounts

Skip to main content