86 lines
3.2 KiB
PowerShell
86 lines
3.2 KiB
PowerShell
function Set-WindowsServiceExecutionAccount {
|
|
<#
|
|
.SYNOPSIS
|
|
Sets the Execution Account for a Windows Service
|
|
|
|
.PARAMETER ServiceDefinition
|
|
A complex object with the following properties: Name, User, Password, IsGMSAAccount
|
|
Name is the name of the service
|
|
|
|
.PARAMETER ServiceName
|
|
The name of the service. Used with Get-Service et al
|
|
|
|
.PARAMETER ServiceUser
|
|
The user the service will run under
|
|
|
|
.PARAMETER ServicePassword
|
|
The password for the service (if supplied)
|
|
|
|
.PARAMETER IsGMSAAccount
|
|
If this is a gMSA service account
|
|
#>
|
|
[CmdletBinding(DefaultParameterSetName = 'ServiceDefinition')]
|
|
Param(
|
|
[Parameter(ParameterSetName = 'ServiceDefinition', Mandatory = $true)]
|
|
[PSObject]$ServiceDefinition,
|
|
|
|
[Parameter(ParameterSetName = 'FieldBasedDefinition', Mandatory = $true)]
|
|
[string]$ServiceName,
|
|
[Parameter(ParameterSetName = 'FieldBasedDefinition', Mandatory = $true)]
|
|
[string]$ServiceUser,
|
|
[Parameter(ParameterSetName = 'FieldBasedDefinition', Mandatory = $false)]
|
|
[string]$ServicePassword,
|
|
[Parameter(ParameterSetName = 'FieldBasedDefinition')]
|
|
[switch]$IsGMSAAccount
|
|
)
|
|
|
|
$logLead = (Get-LogLeadName)
|
|
|
|
if (($ServiceUser -eq 'REPLACEME') -or (($ServicePassword -eq 'REPLACEME') -and -not $IsGMSAAccount)) {
|
|
Write-Warning "$logLead : Service username or service password provided was [REPLACEME]. This is an invalid configuration. Set-WindowsServiceExecutionAccount will not be processed."
|
|
return
|
|
}
|
|
|
|
if ($PSCmdlet.ParameterSetName -eq 'ServiceDefinition') {
|
|
$ServiceName = $ServiceDefinition.Name
|
|
$ServiceUser = $ServiceDefinition.User
|
|
$ServicePassword = $ServiceDefinition.Password
|
|
$IsGMSAAccount = $ServiceDefinition.IsGMSAAccount
|
|
}
|
|
|
|
$emptyPassword = ([string]::IsNullOrWhiteSpace($ServicePassword))
|
|
|
|
$currentProcessUser = Get-WindowsServiceUser $ServiceName
|
|
|
|
if ($currentProcessUser -eq $ServiceUser -or ($currentProcessUser -eq "LocalSystem" -and $ServiceUser -eq "SYSTEM")) {
|
|
Write-Host "$logLead : No Credential Update Required for Windows Service [$ServiceName]"
|
|
return
|
|
}
|
|
|
|
$scParameters = @("config",$ServiceName,"obj=`"$ServiceUser`"")
|
|
|
|
# GMSA don't have passwords, so don't specify that flag
|
|
if ($IsGMSAAccount) {
|
|
Write-Host "$logLead : Service [$ServiceName] will run as a GMSA account or Password-less Account for username [$ServiceUser]"
|
|
}
|
|
|
|
if (!$IsGMSAAccount -and !$emptyPassword){
|
|
Write-Host "$logLead : Service [$ServiceName] will run as a non-GMSA account"
|
|
$scParameters += "password=`"$ServicePassword`""
|
|
}
|
|
|
|
# This could potentially run with secure information if a password is provided
|
|
if ($emptyPassword) {
|
|
Write-Host "$logLead : Updating Execution Account for Windows Service [$ServiceName] with params [$scParameters]"
|
|
} else {
|
|
Write-Host "$logLead : Updating Execution Account for Windows Service [$ServiceName] with obscured params due to inclusion of a password"
|
|
}
|
|
|
|
Invoke-SCExe $scParameters
|
|
|
|
if ($IsGMSAAccount) {
|
|
# Ensure value is always set to service account managed state
|
|
Set-ServiceAccountManagedState -ServiceName $ServiceName
|
|
}
|
|
}
|