I'm currently reviewing automation opportunities within the day to day administration of a Clustered ONTAP CIFS server.
One of the processes I'm looking to automate is the vserver cifs password-reset operation which updates the password of the vservers computer account in the Active Directory domain.
Any domain admin worht their salt will tell you they perform house keeping on the domain by looking for machine account passwords that have not be changed in X days and deleting those accounts older than X.
The value of X will vary depending on your organizations security and risk profile.
To achieve this account password update in clustered ONTAP you use the vserver cifs password-reset command.
This would appear to map to the new-nccifspassword cmdlet.
However, unlike the CLI which asks you for credentials of a domain user with permissions to reset password on the OU where the computer account resides, the new-nccifspassword cmdlet does not accept such parameters.
On the controller in the log file /mroot/etc/log/mlog/mgwd.log you can see both the ontapi operation and the CLI operation but the ontapi stays at pending and never changes to a success state.
Certain information in the log extracts is masked for obvious reasons.
Actually, the New-NcCifsPassword cmdlet maps to the cifs-password-change API. Which is slightly different. It takes no input parameters and I believe just instructs the machine to generate a new password and update AD.
My CLI example was wrong (note to self: don't try throwing something together at the end of a 14 hour day).
New-NcCifsPassword was the cmdlet I was after as I want the equivalent of 'vserver cifs password change'. In my mind this is the equivalent of the 'cifs changefilerpswd' command in 7-mode.
The Reset-NcCifsPassword cmdlet would come in useful to sync the local machine acocunt password and the domain machine account password, and is a much more elegant solution than having to re-run 'cifs setup' in 7-mode.
The notable behavior in the /mroot/etc/log/mlog/mgwd.log was interesting because it reported pending and never success.
As in most cases there is more than one way to get confirmation that the operation was a sucess so I wrote a short AD query to determine the age of the password on the machine account in the domain.