How to use a script to change the ASA (Kerberos) password using Exchange Server 2010

Hi folks,

If you are using a load balancer and your design decision was to use Kerberos instead of NTLM for the CAS Array and you are a couple of good reasons for that you may want also to create a procedure to change the password for the Computer and then update the Client Access Server that use that account.

During the deployment probably you used a script like this one to set the password, right?

RollAlternateServiceAccountPassword.ps1 –ToArrayMembers ArrayName.domain.local –GenerateNewPasswordFor domain.fqdn\ASAAccount$

If you want to change that password every month for example we can run the following cmdlet:

RollAlternateServiceAccountPassword.ps1 -CreateScheduledTask "Exchange-ASA" –ToArrayMembers ArrayName.domain.local –GenerateNewPasswordFor domain.fqdn\ASAAccount$

The result of the cmdlet above is a creation of a new .cmd script file will be created on the Scripts folder  and the name will be based on the parameter –CreateScheduleTask.


Another change introduced by the previous cmdlet is a new task entry on the server. I would recommend for the sake of simplicity and security to perform a couple of changes..

  • First is to change the schedule to run in a monthly basis and we can select every first Sunday of the month and schedule the time for something like 1AM
  • Second is to change the security options and use a specific account just for that task. This account must be member of the Exchange Organization group.


Now, we can run the task to make sure that everything works properly and in order to help the troubleshooting process, we can always check the results of the operation on the folder RollAlternateServiceAccountPassword that can be found on X:\Exchange-Installation-Folder\V14\Logging


For each run of the script a couple of log files will be generated and they will help you to identify what is going on in the process.


Anderson Patricio (Portuguese)
Twitter: @apatricio

Technorati Tags: ,,,,,,,,
Windows Live Tags:
WordPress Tags: Kerberos,Alternate,Service,Account,Load,Balance,NTLM,Exchange,Server

Leave a Reply

Your email address will not be published. Required fields are marked *