function Set-WindowsServiceExecutionAccount {
<#
.SYNOPSIS
	Sets the Execution Account for a Windows Service

.PARAMETER ServiceDefinition
    A complex object with the following properties: Name, User, Password, IsGMSAAccount
    Name is the name of the service

.PARAMETER ServiceName
    The name of the service. Used with Get-Service et al

.PARAMETER ServiceUser
    The user the service will run under

.PARAMETER ServicePassword
    The password for the service (if supplied)

.PARAMETER IsGMSAAccount
    If this is a gMSA service account
#>
    [CmdletBinding(DefaultParameterSetName = 'ServiceDefinition')]
    Param(
        [Parameter(ParameterSetName = 'ServiceDefinition', Mandatory = $true)]
        [PSObject]$ServiceDefinition,

        [Parameter(ParameterSetName = 'FieldBasedDefinition', Mandatory = $true)]
        [string]$ServiceName,
        [Parameter(ParameterSetName = 'FieldBasedDefinition', Mandatory = $true)]
        [string]$ServiceUser,
        [Parameter(ParameterSetName = 'FieldBasedDefinition', Mandatory = $false)]
        [string]$ServicePassword,
        [Parameter(ParameterSetName = 'FieldBasedDefinition')]
        [switch]$IsGMSAAccount
    )

    $logLead  = (Get-LogLeadName)

    if (($ServiceUser -eq 'REPLACEME') -or (($ServicePassword -eq 'REPLACEME') -and -not $IsGMSAAccount)) {
        Write-Warning "$logLead : Service username or service password provided was [REPLACEME]. This is an invalid configuration. Set-WindowsServiceExecutionAccount will not be processed."
        return
    }

    if ($PSCmdlet.ParameterSetName -eq 'ServiceDefinition') {
        $ServiceName = $ServiceDefinition.Name
        $ServiceUser = $ServiceDefinition.User
        $ServicePassword = $ServiceDefinition.Password
        $IsGMSAAccount = $ServiceDefinition.IsGMSAAccount
    }

    $emptyPassword = ([string]::IsNullOrWhiteSpace($ServicePassword))

    $currentProcessUser = Get-WindowsServiceUser $ServiceName

    if ($currentProcessUser -eq $ServiceUser -or ($currentProcessUser -eq "LocalSystem" -and $ServiceUser -eq "SYSTEM")) {
        Write-Host "$logLead : No Credential Update Required for Windows Service [$ServiceName]"
        return
    }

    $scParameters = @("config",$ServiceName,"obj=`"$ServiceUser`"")

    # GMSA don't have passwords, so don't specify that flag
    if ($IsGMSAAccount) {
        Write-Host "$logLead : Service [$ServiceName] will run as a GMSA account or Password-less Account for username [$ServiceUser]"
    }

    if (!$IsGMSAAccount -and !$emptyPassword){
        Write-Host "$logLead : Service [$ServiceName] will run as a non-GMSA account"
        $scParameters += "password=`"$ServicePassword`""
    }

    # This could potentially run with secure information if a password is provided
    if ($emptyPassword) {
        Write-Host "$logLead : Updating Execution Account for Windows Service [$ServiceName] with params [$scParameters]"
    } else {
        Write-Host "$logLead : Updating Execution Account for Windows Service [$ServiceName] with obscured params due to inclusion of a password"
    }

    Invoke-SCExe $scParameters

    if ($IsGMSAAccount) {
        # Ensure value is always set to service account managed state
        Set-ServiceAccountManagedState -ServiceName $ServiceName
    }
}