Reset Expired Domain Admin Password in Azure VM
If you only have one domain admin account set up in a Windows Server domain running in an Azure VM, you might be left struggling to enter a new password when the current one expires. In this Ask the Admin, I’ll show you how to reset a domain account password using an Azure VM extension.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
If like me, you use Azure for testing, you may have come across an issue where a Windows Server domain admin password expires. There’s no way to reset it when it expires. You get the option to log in as another user but the ability to reset the password is not displayed when connecting to the virtual machine using Remote Desktop (RDP). This wouldn’t be a problem provided you have more than one domain administrator account. But in testing scenarios, it’s easy to forget that having only one domain admin account might cause you a problem in the future.
Azure includes a feature for resetting VM administrator passwords in cases where you get accidentally locked out. But it doesn’t support Windows domain controllers because Azure can only reset passwords of the local administrator account that is created when the VM is provisioned. Domain controllers don’t have a local administrator account, so there’s nothing for Azure to reset.
Create a Script to Reset the Domain Admin Account Password
The first step is to create a script to reset the domain administrator password. Open Notepad and save a file with the following command:
net user adadmin NewPassW0rd!
The above net user command will set the password for the account called adadmin. Replace adadmin with the name of your domain administrator account, followed by the desired password. Save the file as passwordreset.ps1 and close Notepad.
Add the Custom Script Extension to a VM
Now that the script is prepared, we can run it on a domain controller using the Azure Custom Script Extension.
- Log in to the Azure management portal here.
- In the panel of services on the left of the portal, click Virtual machines.
- In the list of virtual machines, click the VM that hosts the domain controller.
- Click Start if the VM is not already running. Wait for the VM to start.
- In the VM’s panel, click Extensions under SETTINGS.
- Click + Add to add a new extension to the VM.
- In the New resource panel, click Custom Script Extension.
- In the Custom Script Extension panel, click Create.
- In the Install extension panel, click the Browse icon to the right of the Script file field.
- Select the passwordreset.ps1 file created in the previous steps and click Open.
- Leave the Arguments field blank and click OK.
You will see a notification in the top right of the management portal to indicate that the extension has been created and successfully run. Once you receive the notification, try logging in to the domain controller using the account and password specified in the script file.
Once you’ve successfully logged in, you can remove the extension from the VM. To avoid having to repeat these steps in the future, either create a second domain admin account or set the ‘Password never expires’ flag on the domain administrator account in Active Directory Users and Computers (ADUC).
In this article, I showed you how to reset the password of a domain administrator account in an Azure VM using the Custom Script Extension.
Follow Russell on Twitter @smithrussell.