How to Recover Passwords for SharePoint Managed Accounts

This post talks about how to recover passwords for managed SharePoint accounts. This can also serve as a lesson for anybody who owns a SharePoint sever: Be careful of who you let sit at your console. It's also a great testament as to why automatic password changes are a great new feature. The process itself isn't intuitive, and you may have to use a mix of technologies, but everything included in this blog post is documented well enough collectively on the internet that somebody looking for it will find it.

 

Background

I've had this question a few times from customers: "I forgot the password for 'insert service that supports managed accounts here'; I need to recover the password. Is there any way I can retrieve the password?" Initially my answer used to be no, and then it turned into it depends, and now for sure, it's a definite yes.

Approach

The approach I'm taking is actually very simple, and it's basically only a few steps.

  • Create a new application pool using the managed account for which you wish to retrieve the password
  • Use Appcmd to retrieve the password for the application pool you just created.

 

Solution

As I said, there are only a few steps involved in order to retrieve a password for a managed account. The first thing we need to do is create an application pool using the managed account. In order to do that, we need to retrieve specific managed account and assign it to a variable using the Get-SPManagedAccount cmdlet. In the screenshot below I'm retrieving a managed account and assigning it to the ' $ManagedAccount' variable.

Now that we have our managed account, we're ready to create an application pool. Here we make a decision. We either create a new service application, or a new web application. I simply create a new web application, one that's not addressable in order to prevent people from actually trying to use it. The reason I do this is because it leaves less of a footprint on the server. I tried simply creating a new SPServiceApplicationPool, but this does not present itself as an application pool until the actual service application is deployed onto your server. In order to do this we can use the New-SPWebApplication PowerShell cmdlet. We can see the Web Application and Application Pool have both been created in the screenshot below:

 

We can also retrieve the Application pool using PowerShell as well by using $WebApp.ApplicationPool, as shown in the screenshot below:

 

Now that we have a web application created, and an application pool, we'll have to switch over to appcmd.exe to retrieve the password for the application pool. The line that we'll be using to retrieve the password (from PowerShell) is pretty simple, and looks something like this: cmd.exe /c C:\windows\system32\inetsrv\appcmd.exe list apppool "Name of Application Pool" /text:ProcessModel.Password

This will produce and output as displayed in the screenshot below:

 

You can download the Password Retrieval Script from this location: Download RetrievePassword.ps1 (zipped)

Usage

To use this script you must be logged in with an account which is a local administrator and a farm administrator. Simply edit the script variable to indicate your managed account, and run the PowerShell script.

 

Feedback

As always, if you have any questions or feedback, let me know. If you have any ideas to optimize the script, I'd like to hear that too. Thanks for reading!

You can also follow me on Twitter:

 RCormier_MSFT