Menu Close

How to update passwords for Service Accounts in SCOM

image

If you use domain service accounts in SCOM with passwords, on occasion you may be forced to change those passwords.  This will be a step by step guide on updating those passwords.

 

High level overview:

  • Stop the SCOM services on all SCOM servers and delete the HealthService cache
  • (Optional) Stop any 3rd party services that connect to the SDK (connectors, integrations)
  • Stop the SQL Server Reporting Services service on the SCOM report server role.
  • Change the password for each service account in AD
  • Update the password for the SCOM windows services.
  • Start the DAS/SDK and Config services.
  • Update the password for the SCOM action and RunAs accounts in the SCOM console.
  • Update the password for the SCOM reporting account in SSRS
  • (Optional) Update the password for any connectors, 3rd party services, IIS app pools, or custom RunAs accounts.
  • Start the remaining SCOM Services on all SCOM servers

 

Step By Step:

Our guide will ASSUME you have 4 typical SCOM service accounts:

  • DOMAIN\scomaa – Management Server Action Account
  • DOMAIN\scomdas – System Center Data Access (SDK) account
  • DOMAIN\scomread – Data Warehouse Reporting Reader account
  • DOMAIN\scomwrite – Data Warehouse Reporting write account

If you only used one or two accounts for these roles – that’s fine.  You instructions will only vary slightly.

 

1.  Stop the SCOM services on all SCOM servers. 

This will reduce the chances of an account lockout depending on your account lockout policy.

On each SCOM Management server, stop the following services:

  • Microsoft Monitoring Agent
  • System Center Management Configuration
  • System Center Data Access Service

image

PowerShell:

Stop-Service Healthservice Stop-Service cshost Stop-Service OMSDK

At this point, we should flush the cache on each management server so the Healthservice will build a new cache when it starts back up.

Browse to where SCOM was installed, and delete or rename the “Health Service State” folder under \Program Files\Microsoft System Center\Operations Manager\Server\ folder.

image

 

2.  (Optional) Stop any 3rd party services that connect to the SDK (connectors, integrations)

This could be an Alert Update connector, a product connector, custom 3rd party integrations to SCOM, or anything that connects to the SCOM SDK.

 

3.  Stop the SQL Server Reporting Services service on the SCOM report server role.

image

PowerShell:

Stop-Service SQLServerReportingServices #OR Stop-Service ReportServer #SQL 2016 and earlier

 

4.  Change the password for each service account in AD

image

PowerShell:

$sstring = ConvertTo-SecureString -AsPlainText 'qwert@12*345' -Force Set-ADAccountPassword -Identity scomaa -reset -NewPassword $sstring $sstring = ConvertTo-SecureString -AsPlainText 'qwert@12*345' -Force Set-ADAccountPassword -Identity scomdas -reset -NewPassword $sstring $sstring = ConvertTo-SecureString -AsPlainText 'qwert@12*345' -Force Set-ADAccountPassword -Identity scomread -reset -NewPassword $sstring $sstring = ConvertTo-SecureString -AsPlainText 'qwert@12*345' -Force Set-ADAccountPassword -Identity scomwrite -reset -NewPassword $sstring

 

5.  Update the password for the SCOM windows services.

On each SCOM management server, update the password for the following services:

  • System Center Management Configuration
  • System Center Data Access Service

image

PowerShell:

$service = gwmi win32_service -filter "name='cshost'" $service.change($null,$null,$null,$null,$null,$null,$null,'qwert@12*345') $service = gwmi win32_service -filter "name='OMSDK'" $service.change($null,$null,$null,$null,$null,$null,$null,'qwert@12*345')

 

6.  Start the DAS/SDK and Config services.

On each SCOM management server, start the following services:

  • System Center Management Configuration
  • System Center Data Access Service

image

PowerShell:

Start-Service cshost Start-Service OMSDK

 

7.  Update the password for the SCOM action and RunAs accounts in the SCOM console.

Open the SCOM console.

Administration > RunAs Configuration > Accounts

Under Type: Action Account, open the properties for the Management Server Action Account and update the password.

image

Under Type: Windows, open the properties for the Data Warehouse Action Account and update the password.

image

Under Type: Windows, open the properties for the Data Warehouse Report Deployment Account (if present) and update the password.

image

PowerShell:

$UserName = "OPSMGR\scomaa" $Password = ConvertTo-SecureString -AsPlainText 'qwert@12*345' -Force $NewCred = new-object System.Management.Automation.PsCredential $UserName,$Password Get-SCOMRunAsAccount -Name "OPSMGR\scomaa" | Update-SCOMRunAsAccount -RunAsCredential $NewCred $UserName = "OPSMGR\scomwrite" $Password = ConvertTo-SecureString -AsPlainText 'qwert@12*345' -Force $NewCred = new-object System.Management.Automation.PsCredential $UserName,$Password Get-SCOMRunAsAccount -Name "Data Warehouse Action Account" | Update-SCOMRunAsAccount -RunAsCredential $NewCred $UserName = "OPSMGR\scomread" $Password = ConvertTo-SecureString -AsPlainText 'qwert@12*345' -Force $NewCred = new-object System.Management.Automation.PsCredential $UserName,$Password Get-SCOMRunAsAccount -Name "Data Warehouse Report Deployment Account" | Update-SCOMRunAsAccount -RunAsCredential $NewCred

 

8.  Update the password for the SCOM reporting account in SSRS

On the SCOM Reporting role server, open the Report Server Configuration Manager application.

Connect to the reporting instance.

Select the Service Account, and update the password, and click APPLY.

image

You should be prompted to start the service at this point.  This will reconfigure SSRS with the updated password and restart the services.

Next, select Database.  Choose “Change Credentials”.  On the Credentials screen – enter back in your account for the Data Warehouse Report Reader account, and input the updated password.

image

Next, select the Execution Account in Report Server Configuration Manager, and update the password:

image

You may close the SQL Report Server Configuration Manager now.

 

9.  (Optional) Update the password for any connectors, 3rd party services, IIS app pools, or custom RunAs accounts.

I have a Product Connector service that runs under the DAS/SDK account credential, so I will update this now.

You can likely start these services as well now, as the DAS/SDK service is already running.

 

10.  Start the SCOM Services on all SCOM servers

At this point, we can start the remaining service: Microsoft Monitoring Agent on all SCOM servers.

image

PowerShell:

Start-Service HealthService

 

Health review

At this point we should check the OperationsManager event logs on all the Management servers for errors.

Also inspect the Monitoring > Operations Manager > Management Group Health dashboard.  Make sure SCOM is healthy.  Resolve any errors.

image

 

Troubleshooting

Sometimes, when we reset the password for the Management Server Action Account – you will see duplicate “Alternate” accounts get created. 

image

If this happens, you need to go in the console to Administration > Run As Configuration > Profiles  and open the properties for the Default Action Account Profile.

Make sure non of the accounts are using the “Alternate Account”.  If they are – change them.

You can now delete any “Alternate Accounts” that exist.

Sometimes you will need to update the password again using the console for the Management Server Action Account if the management servers are still logging errors.  Wait for a config update (event 20125) and this should clear all the errors.

4 Comments

  1. Chris

    Something to suggest on the SSRS component of the password changes is to do it while the service is actively running under the old account.

    The reason is that if there is an encryption key in use, updating credentials while SSRS is stopped will cause it to lose access to the key. Changing the account information while running means that the key is unlocked in memory and SSRS can re-secure the key with the new credentials (and prompts for backup of the new key on apply). Without access to the configured key, SSRS won’t start and reporting from SCOM will be inoperable.

    Found this out myself just recently, fixed by swapping back to the old credentials, then retrying the update while running. Worked fine afterwards.

    If you are not using an encryption key, your documented process is no doubt correct.

  2. Nick

    I have inherited a SCOM deployment where all the management servers have Local System as the action account. If I try to reset with above procedure the service fails and I receive “The Health Service only supports running as the local system user account. The service was configured to run under a different user account so it cannot start. Please reset the service configuration back to the default setting.” in the OM log. Any ideas on how to change the account ?

  3. Christian Jacoby

    Thanks for this, helps a lot! It would be much easier though if there was a function inside SCOM to pick the account and change the password there, and that takes care of the rest then automatically.

    One small thing: in my SCOM 2022 installation, the cache of the Health Service is not in \Program Files\Microsoft System Center\Operations Manager\Server\, but in \Program Files\Microsoft System Center\Server\. I don’t think we changed any path during the installation.

  4. Chris Keown

    Hey Kevin, so when the service account passwords were changes the default action account on the management server were changed to system by mistake. No one picked up and they started having SQL errors where the computer accounts were trying to access SQL, so instead of fixing it they added the computer account to SQL and got things working again, but that is not a good idea. What are the ramifications of switching the action accounts on the management server back to the default action account like they should be? Is it going to blow up again?

Leave a Reply

Your email address will not be published.