Reputation: 601
Using SC.exe to set service credentials password fails
I know this question has been asked in the past, but a satisfactory answer has not been provided.
I am using the SC command to config the credentials for a service.
SC.exe config "SERVICE NAME" obj= "domain\user" password= "password"
This completes successfully, but when I start the service, it fails
to perform the login.
[NET START "service name"]
If I manually update ONLY the password from the services.msc, then when I start the service it works fine.
I have hundreds of servers to update this change occurs in the middle of a deployment, so manual intervention is NOT an option.
I have tried using the config to update the login account and then another config command for the password.
From all accounts, the SC.exe does not work for passwords and Microsoft has NO help.
IDEAS?
Upvotes: 15
Views: 40417
Answers (10)
Reputation: 1461
Based on this simplified use case, there seems to be a core issue changing the password without using the GUI once. The same issue occurs when using Ansible win_service. I have tried rebooting before trying to reconfigure the logon user, but nothing works. After a service is created with default user...
Fails:
- sc.exe config "myService" obj= "MYDOMAIN\myuser" password= "BAD"
- sc.exe config "myService" obj= "MYDOMAIN\myuser" password= "redacted"
Succeeds:
- Set password to BAD via Windows service UI. (dark magic happening)
- sc.exe config "myService" obj= "MYDOMAIN\myuser" password= "redacted"
Upvotes: 0
Reputation: 54
When you configure a service to run under a specific virtual account ,
To configure a service to use a virtual account remember that the virtual service account's name should be same as the service name . Eg. **NT SERVICE**ServiceName.
Upvotes: 0
Reputation: 478
To enable log on as a service via script I've written this, you can use it as is or pull out what is useful to you
https://raw.githubusercontent.com/cdaf/windows/master/automation/provisioning/setServiceLogon.ps1
Upvotes: 1
Reputation: 10958
Besides stopping the service before making the changes, and granting the user permission to logon as a service, I also had to add the type= own parameter, otherwise it would fail with:
[SC] ChangeServiceConfig FAILED 87:
The parameter is incorrect
So this is the command that worked:
SC.EXE config "ServiceName" type= own obj= "domain\user" password= "password"
It even worked with special characters in the password, given I had the password between double brackets.
Upvotes: 9
Reputation: 71
When you configure a service to run under a specific account via the normal route from the service properties windows automatically grants the account the log in as service right. When you use sc.exe you also have to grant the user the log on as service right.
Upvotes: 7
Reputation: 497
Before restarting services, you should grant your user permission to logon as a service. Unfortunately, no way to do it from command line with default windows tools, but you can use small additional util ntright.exe from Windows Server 2003 Resource Kit Tools.
Download it from https://www.microsoft.com/en-us/download/details.aspx?id=17657
After installation you'll get a lot of tools in C:\Program Files (x86)\Windows Resource Kits\Tools (or in Program Files on 32bit machine).
You need ntrights.exe. You can copy it and run from any place on another host.
To grant your user required permission, you should add to your script:
ntrights.exe +r SeServiceLogonRight -u "%DOMAIN%\%USER%"
After that you can successfully restart services with a new user. Also there is an option to run ntrights.exe on remote host:
ntrights.exe +r SeServiceLogonRight -u "%DOMAIN%\%USER%" -m %HOSTNAME%
This tool helps me very much when I need reconfigure a lot of hosts remotely.
Upvotes: 2
Reputation: 13
Try This. Start menu - type "local security policy" without the quotes. Open the "Local Policies", then left-click on "User Rights Assignment". On the right panel, right-click on "Log on as a service", and select "Properties". Click on "Add User or Group" and add your user. Click OK. You might have to reboot your machine.
After adding you can set the user name and password for the service in cmd.
Upvotes: 0
Reputation: 1437
Run against this problem while doing some Powershell scripting and the issue in my case was the special characters in the password.
Got it working by storing the password in a variable with double quotes around it:
$servicePassword = "`"passwordWithSpecialCharacters`""
cmd /c sc config myService obj= mydomain\myuser password= $servicePassword
Special characters are:
()'"$><^?
Upvotes: 0
Reputation: 19032
I had this issue. Thanks to ST's comment on the original post, I realized I needed to research how to type the password. In my case, I needed to double up the percent sign (%%) in the password.
The link ST provided is helpful: Escaping special characters in cmd.
Upvotes: 0
Reputation: 1
Try to stop the service before setting up the password:
sc.exe stop "<my_service>" 4:4:3
sc.exe config "<my_service>" obj= "\.<local_acc_name>" password= "<local_acc_pass>"
sc.exe start "<my_service>"
Upvotes: 0
Related Questions
- How do I set the credentials of a a windows service log on?
- Starting a process with credentials from a Windows Service
- How to change user credentials of windows service from command line?
- sc.exe config "Service Name" obj= "DOMAIN\User" password= "password" not working
- Adding Credentials to Service with PowerShell
- SC CreateService FAILED 1057 The account name is invalid or does not exist, or the password is invalid for the account name specified
- how to set windows service username and password through commandline
- Create service with arguments using SC.exe
- Bypassing Windows Credentials using Windows Service
- sc.exe fails with a 1639