Updating the Password in ARS Managed Domains

I came across a post explaining how to do this and realised that for some of the managed domains the password was not being changed and these accounts were normally domain admins.

As per my last post on generating random passwords and the general discussion on if we should be forcing users to change their passwords thre is no question that it’s a good idea to automate a password reset on privileged service accounts.

ARS managed domains have the option of using either the service account that runs the ARS service or you can add an override account. If you don’t have a trust in place then an override account is the only option. For the service account that runs the ARS service you could probably use a managed service account. I’ve not done this as I sometimes have to resort to actually using this account to debug some of the ARS script policies. I use a password management tool to reset the password, update the servive configuration and then reset the service. For the override accounts I use an ARS scheduled task that changes the password in the target domain and then updates the managed domain configuration.

The excerpt of code below gets the Managed Domain Objects and selects only those where there is an override account configured. The ‘edsaUseOverrideAccount’ will be set to $true. I then iterate through them and get the ‘edsaAccountName’ which holds the NTAccount Name of the override account and I reset the domain account using ARS and then update the ‘edsaAccountPassword’ attribute of the Managed Domain object.

This appears to work well and I’ve not had any issues with it. Now nobody knows the account password and it will get reset on whatever schedule you want to run this task.

I’ve not posted my function ‘Stop-ScriptRun’ this just does some clean up and sends an email ( if instructed to do so ) and then uses ‘Throw’ to stop the script running and this updated the last run message of the scheduled task so it’s easy to see what happened on the last run by just looking at the scheduled task.

$managedDomains = Get-QADObject -SearchRoot 'CN=Managed Domains,CN=Server Configuration,CN=Configuration' -Proxy -IncludedProperties edsaUseOverrideAccount,edsaAccountName  | where { $_.edsaUseOverrideAccount }
ForEach ( $ManagedDomain in $managedDomains ) {
 $pwd = Get-RandomPassword -MaxLength $pwdMAXLength -MinLength $pwdMINLength -Upper $pwdUPPER -Lower $pwdLOWER -number $pwdNUMBER -Special $pwdSPECIAL -alphaFirst:$alphaFirst -numericFirst:$numFirst  -showdebug:$debug
 try { Set-QADUser -Identity $ManagedDomain.edsaAccountName -UserPassword $pwd -Proxy -Control @{operationReason=$operationReason} -WhatIf:$whatif }
 catch {
  Stop-ScriptRun -emailParameters $emailParameters -throwMessage "Unable to set password on account $($ManagedDomain.edsaAccountName)" -stop -sendMail
 try { Set-QADObject $ManagedDomain.DN -ObjectAttributes @{edsaAccountPassword=$pwd} -Control  @{operationReason=$operationReason} -Proxy -WhatIf:$whatif }
 catch {
  Stop-ScriptRun -emailParameters $emailParameters -throwMessage "Unable to update $($ManagedDomain.name) password, $($ManagedDomain.edsaAccountName)"  -stop -sendMail

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.