If you're managing Windows servers or workstations with scheduled tasks running under service accounts, you've probably faced the tedious process of updating passwords when they expire or need to be rotated for security compliance. Manually going through each scheduled task to update the stored credentials is time-consuming and error-prone, especially when you have dozens of tasks across multiple systems.
I've created a PowerShell script that automates this entire process, making password rotation for scheduled tasks a breeze.
Considered gMSA?
if you indeed are using service accounts, you may wish to consider gMSA - this is a service account where you do not have to deal with passwords as Active Directory takes care of that for you - it will also generate the 240 character random password that will automatically be recycled every 30 days……This is usually quite A handy but under utilize feature with Active Directory - if you’re interested in in exploring gMSA try the article here
Important Note: Using Personal Accounts vs Service Accounts
While this script is designed primarily for service accounts, I know that sometimes people use their own personal accounts to run scheduled tasks. This is not recommended - tasks should always run with least privileged service accounts for security best practices.
However, if you find yourself in this situation where your scheduled tasks are running under your personal account, be very careful about timing when you update your password. Here's why:
The Account Lockout Risk
When you change your personal account password, any scheduled tasks using the old password will immediately start failing authentication. Depending on your organization's account lockout policy and the frequency of your scheduled tasks, you could face a serious problem:
- High-frequency tasks (running every few minutes) will quickly consume your allowed failed login attempts
- Your account could get locked out before you have a chance to run the password update script
- You'll be locked out of your workstation and unable to fix the problem
Critical Step: Stop Running Tasks First
If you're using your personal account for scheduled tasks and need to update your password:
- Identify all frequently-running tasks (those that run every few minutes or hours)
- Temporarily disable or stop these tasks before changing your password
- Change your password
- Run the script immediately to update all task credentials
- Re-enable the tasks once the script completes successfully
This prevents the authentication failures that could lock you out. You can identify high-frequency tasks by looking at their trigger schedules in Task Scheduler or by noting which ones appear in the script's task list with short intervals.
Better Long-Term Solution
If you're currently using personal accounts for scheduled tasks, consider this password rotation as an opportunity to migrate to dedicated service accounts. Service accounts:
- Don't have interactive login rights (more secure)
- Have passwords that don't expire or change frequently
- Follow the principle of least privilege
- Won't lock you out of your workstation when they fail
The Problem : Password Rotation and Scheduled Tasks
When service account passwords need to be updated, every scheduled task using that account must have its stored credentials updated. The traditional approach involves:
- Opening Task Scheduler
- Finding each task that uses the service account
- Editing the task properties
- Navigating to the "General" tab
- Clicking "Change User or Group"
- Re-entering the password
- Saving the task
- Repeating for every single task
This manual process becomes a nightmare when you have multiple service accounts and numerous scheduled tasks.
The Solution : Scripted Update
My PowerShell script automatically discovers all scheduled tasks running under a specified service account and updates their passwords in bulk. The script provides several key features:
How It Works
The script follows this workflow:
- Account Selection: Specify the service account either via command line parameter or interactive menu
- Task Discovery: Scans all scheduled tasks to find matches for the specified account
- Filtering: Optionally filters to show only user-created tasks (excluding Microsoft/system tasks)
- Preview: Displays all tasks that will be updated
- Confirmation: Asks for user confirmation before proceeding
- Credential Input: Prompts for the new password using a secure credential dialog
- Bulk Update: Updates all matching tasks with the new credentials
- Summary Report: Shows success/failure count and details
Usage Examples
Interactive Mode
.\UpdateTaskPasswords.ps1
This launches an interactive menu where you can choose how to specify the service account and filtering options.
Command Line with Specific Account
# Update all tasks for a specific service account
.\UpdateTaskPasswords.ps1 -TargetUser "domain\serviceaccount"
# Update only user-created tasks for the account
.\UpdateTaskPasswords.ps1 -TargetUser "domain\serviceaccount" -OnlyUserCreated
Using Current User Account
# Update tasks for your own account
.\UpdateTaskPasswords.ps1 -TargetUser "$env:USERDOMAIN\$env:USERNAME"
Sample Output
When you run the script, you'll see output like this:
=== Scheduled Task Password Update Script ===
Target User Account: domain\serviceaccount
Filter: User-created tasks only
Searching for scheduled tasks running under account: domain\serviceaccount...
Filtering for user-created tasks only...
Found 5 user-created scheduled task(s) running under account: domain\serviceaccount
Tasks to be updated:
• \DataBackup\NightlyBackup (State: Ready)
• \Maintenance\LogCleanup (State: Ready)
• \Reports\WeeklyReport (State: Disabled)
• \UserScripts\DatabaseSync (State: Ready)
• \CustomTasks\FileTransfer (State: Running)
Do you want to proceed with updating passwords for these tasks? (Y/N): y
Updating scheduled task passwords...
Updating task: \DataBackup\NightlyBackup
✓ Successfully updated: \DataBackup\NightlyBackup
Updating task: \Maintenance\LogCleanup
✓ Successfully updated: \Maintenance\LogCleanup
...
=== Update Summary ===
Successfully updated: 5 tasks
Failed to update: 0 tasks
Total tasks processed: 5
Password update completed! The scheduled tasks should now run with the new credentials.This script has saved me countless hours when managing service account password rotations. Instead of manually updating dozens of scheduled tasks across multiple servers, I can now:
- Update all tasks for a service account in under a minute
- Reduce human error from manual password entry
- Ensure consistent password updates across all tasks
- Generate reports showing which tasks were successfully updated
The script is particularly valuable in enterprise environments where service account password rotation is a regular security requirement. It transforms a tedious, error-prone manual process into a quick, reliable automated operation.
Conclusion
Managing scheduled task credentials doesn't have to be a painful manual process. This PowerShell script automates the entire workflow, making service account password rotation efficient and reliable. Whether you're managing a handful of tasks or hundreds across multiple systems, this tool will save you significant time and reduce the risk of missed updates.
Save the script, run it whenever you need to rotate service account passwords, and never manually update scheduled task credentials again!