To update the 'Log On As' property on a Windows Service, you will need a credential with the appropriate permissions, such as an Administrator account.
When attaching a PAM script to a record, you have the option to add a Resource Credential that is passed to the Gateway as part of the BASE64-encoded JSON data. The above credential will need to be attached as a Resource Credential.
As many Resource Credentials can be attached to a PAM script, knowing the UID of the Resource Credential you have attached helps ensure your script uses the correct one to update the Service's 'Log On As' property.
Updating the Service
PowerShell 7 makes it easy to update service credentials. By default, even in PowerShell 7, when remoting, the default PSSession will be Windows Powershell (v5). To remote using PowerShell 7, you can specify the built-in PowerShell 7 configuration: PowerShell.7. Once the rotation is complete, we will log the service status to DEBUG.
[CmdletBinding()]param ( [Parameter(ValueFromPipeline=$true)] [string] $B64Input)$ErrorActionPreference ="Stop"$DebugPreference ='Continue'functionConvertFrom-B64 {param ( [string] $B64String )try { $Json = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($B64String)) $Output = $Json |ConvertFrom-Json }catch {Write-Error"Failed to convert Base64 string: $B64String" }return $Output}functionNew-PSCredential {param ( [string] $Username, [string] $Password )try { $SecurePassword =ConvertTo-SecureString $Password -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username, $SecurePassword
Write-Debug"New PSCredential created for: $Username" }catch {Write-Error"Failed to create PSCredential for: $Username" }return $Credential}# The JSON data is passed to the Gateway as a Base64 encoded string.$Params =ConvertFrom-B64-B64String $B64InputWrite-Debug"Running Post-Rotation Script on: $($Params.userRecordUid)"# Create a PSCredential to be used to update the Service's `Log On As` property.$ServiceAccountCredential =New-PSCredential-Username $Params.user -Password $Params.newpassword# Convert the attached Resource Records from Base64 encoded JSON string and find the # Admin Record we need to update the Service's `Log On As` property by filtering by the # Admin Record's UID.$ResourceCredentials =ConvertFrom-B64-B64 $Params.records$AdminRecord = $ResourceCredentials |Where-Object { $_.uid-eq'<Admin Record UID>' }# Each record type will have a different JSON structure. In this instance, we are using # a PAM Directory record type, so we need to build the username from the `login` and # `domainName` properties.$AdminCredential = New-PSCredential -Username "$($AdminRecord.login)@$($AdminRecord.domainName)" -Password $($AdminRecord.password)
# Rotate the Service's `Log On As` property$ServiceName ='<Target Service>'$ServiceStatus =Invoke-Command`-ComputerName '<Target Machine>'`-Credential $AdminCredential `-ConfigurationName 'PowerShell.7'`-ScriptBlock { `Stop-Service $Using:ServiceName; `Set-Service-Name $Using:ServiceName -Credential $Using:ServiceAccountCredential; `Start-Service $Using:ServiceName; `returnGet-Service $Using:ServiceName; }Write-Debug"$ServiceName is: $($ServiceStatus.Status)"
