Last Update: Sep 04, 2024 | Published: Jun 06, 2018
If you only have one domain admin account set up in a Windows Server domain running in an Azure VM, you might be left struggling to enter a new password when the current one expires. In this Ask the Admin, I’ll show you how to reset a domain account password using an Azure VM extension.
If like me, you use Azure for testing, you may have come across an issue where a Windows Server domain admin password expires. There’s no way to reset it when it expires. You get the option to log in as another user but the ability to reset the password is not displayed when connecting to the virtual machine using Remote Desktop (RDP). This wouldn’t be a problem provided you have more than one domain administrator account. But in testing scenarios, it’s easy to forget that having only one domain admin account might cause you a problem in the future.
Azure includes a feature for resetting VM administrator passwords in cases where you get accidentally locked out. But it doesn’t support Windows domain controllers because Azure can only reset passwords of the local administrator account that is created when the VM is provisioned. Domain controllers don’t have a local administrator account, so there’s nothing for Azure to reset.
The first step is to create a script to reset the domain administrator password. Open Notepad and save a file with the following command:
net user adadmin NewPassW0rd!
The above net user command will set the password for the account called adadmin. Replace adadmin with the name of your domain administrator account, followed by the desired password. Save the file as passwordreset.ps1 and close Notepad.
Now that the script is prepared, we can run it on a domain controller using the Azure Custom Script Extension.
You will see a notification in the top right of the management portal to indicate that the extension has been created and successfully run. Once you receive the notification, try logging in to the domain controller using the account and password specified in the script file.
Once you’ve successfully logged in, you can remove the extension from the VM. To avoid having to repeat these steps in the future, either create a second domain admin account or set the ‘Password never expires’ flag on the domain administrator account in Active Directory Users and Computers (ADUC).
In this article, I showed you how to reset the password of a domain administrator account in an Azure VM using the Custom Script Extension.
Follow Russell on Twitter @smithrussell.