I am creating an automated deployment script (as a bat file). Our applications are mostly windows services. I plan to use SC CREATE to create the service. The problem is with storing password as clear text in the script file. Is there any way that i can encrypt the password and pass to the sc create ?
Also is there a way i can skip the username and password and start the service?
I'm assuming this is an internal application, since you know you want to embed credentials rather than let a customer choose them when installing.
In Windows 7/Windows server 2008 R2 or higher, you can use Managed Service Accounts. These are accounts that, by design, do not have a password that you know. (They act like computer accounts and automatically change their own password periodically.)
You do have to create the accounts, associate them with a computer, and install them onto the computer (three PowerShell commands). They accounts are also not allowed to span multiple computers (until 2012 and gMSAs).
I don't know what you're using for workstation management beyond that batch script, or how many workstations you have, but you might be able to use some kind of environment variable as part of the MSA name for scriptability. In the case of a workstation named SOME-PC with an MSA called SOME-PC-YOURSERVICE, installing the account would be running the PowerShell command Install-ADServiceAccount -Identity SOME-PC-YOURSERVICE on the SOME-PC workstation.
Once the MSA is created and installed on the workstation you won't need to supply a password when you specify the account to run the service.
