View Complete Thread
  • Re: RELIABLE iterative search-and-update of password for service account used in IIS:\\SITES

    Sep 04, 2019 10:22 AM|tmsatgmail|LINK


    Thanks. I've used the StackOverflow code block for some testing. The issue I'm having is NOT with the credential write actions, as those work fine - it's with a preceding validation step.

    We have IIS containing different sites and viritual directories owned by different teams who use different credentials for the objects they manage. So I cannot use a function that will blind overwrite every stored instance of a ServiceAccount2 username and password with the ServiceAccount1 username and password unless we've told it to.

    Rough example: - if you take that code from StackOverflow and extend all three ForEach loops with a sanity check to READ the current username and check it matches a search argument. (obviously you need different commands to get the current username, inside each loop).

        If(($username -ieq $currentuserName) -or ($flagReplaceAnyway -eq $true))
            Set-WebConfigurationProperty $fullPath -Name "username" -Value $username
            Set-WebConfigurationProperty $fullPath -Name "password" -Value $newpassword

    If I set the flag, the function can overwrite EVERY username and password on EVERY object it finds, bypassing the username match check. I can see all the usernames inside the IIS management interface (when running the admin console under the same credentials we're using for the PowerShell script). So there should be no problem reading those usernames as well as overwriting them.

    But, when running the PowerShell script, sometimes I get the username, sometimes I don't - and when I don't get it, there is no error. So the IF condition fails, if the flag is not set - ( $currentuserName = "" ) or ( $currentuserName = $null ) do not match $currentuserName.

    That is the issue. I am using standard logic to read the username, and the standard logic only works some of the time. Perversely, I do not have this problem when using the same principle in IIS:\AppPools where this IF condition works EVERY TIME.

    If(($username -ieq $webapp.processModel.userName) -or ($flagReplaceAnyway -eq $true))