Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Cloud Computing

Reset Expired Domain Admin Password in Azure VM

If you only have one domain admin account set up in a Windows Server domain running in an Azure VM, you might be left struggling to enter a new password when the current one expires. In this Ask the Admin, I’ll show you how to reset a domain account password using an Azure VM extension.



Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

If like me, you use Azure for testing, you may have come across an issue where a Windows Server domain admin password expires. There’s no way to reset it when it expires. You get the option to log in as another user but the ability to reset the password is not displayed when connecting to the virtual machine using Remote Desktop (RDP). This wouldn’t be a problem provided you have more than one domain administrator account. But in testing scenarios, it’s easy to forget that having only one domain admin account might cause you a problem in the future.

Azure includes a feature for resetting VM administrator passwords in cases where you get accidentally locked out. But it doesn’t support Windows domain controllers because Azure can only reset passwords of the local administrator account that is created when the VM is provisioned. Domain controllers don’t have a local administrator account, so there’s nothing for Azure to reset.

Create a Script to Reset the Domain Admin Account Password

The first step is to create a script to reset the domain administrator password. Open Notepad and save a file with the following command:

net user adadmin NewPassW0rd!

The above net user command will set the password for the account called adadmin. Replace adadmin with the name of your domain administrator account, followed by the desired password. Save the file as passwordreset.ps1 and close Notepad.

Add the Custom Script Extension to a VM

Now that the script is prepared, we can run it on a domain controller using the Azure Custom Script Extension.

  • Log in to the Azure management portal here.
  • In the panel of services on the left of the portal, click Virtual machines.
  • In the list of virtual machines, click the VM that hosts the domain controller.
  • Click Start if the VM is not already running. Wait for the VM to start.
  • In the VM’s panel, click Extensions under SETTINGS.
Add an extension to an Azure VM (Image Credit: Russell Smith)
Add an Extension to an Azure VM (Image Credit: Russell Smith)
  • Click + Add to add a new extension to the VM.
  • In the New resource panel, click Custom Script Extension.
  • In the Custom Script Extension panel, click Create.
  • In the Install extension panel, click the Browse icon to the right of the Script file field.
  • Select the passwordreset.ps1 file created in the previous steps and click Open.
  • Leave the Arguments field blank and click OK.
Add a custom script extension to an Azure VM (Image Credit: Russell Smith)
Add a Custom Script Extension to an Azure VM (Image Credit: Russell Smith)

You will see a notification in the top right of the management portal to indicate that the extension has been created and successfully run. Once you receive the notification, try logging in to the domain controller using the account and password specified in the script file.

Add a custom script extension to an Azure VM (Image Credit: Russell Smith)
Add a Custom Script Extension to an Azure VM (Image Credit: Russell Smith)

Once you’ve successfully logged in, you can remove the extension from the VM. To avoid having to repeat these steps in the future, either create a second domain admin account or set the ‘Password never expires’ flag on the domain administrator account in Active Directory Users and Computers (ADUC).

In this article, I showed you how to reset the password of a domain administrator account in an Azure VM using the Custom Script Extension.

Follow Russell on Twitter @smithrussell.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (1)

One response to “Reset Expired Domain Admin Password in Azure VM”

  1. ashishc

    Hi Russell,

    looks like azure doesn't support this method anymore for security reasons. I faced a similar issue and tried resetting it with the customscriptextension as mentioned but that failed. What did work for me is adding a local admin remotely via powershell.

    Create a poweshell script to create a local user and add user to local admin group:

    net user userName Password /add

    net localgroup Administrators userName /add


    Set-AzContext -SubscriptionId 'you subscription id'

    Invoke-AzVMRunCommand -ResourceGroupName 'yourResourceGroupName' -Name 'vmName' -CommandId 'RunPowerShellScript' -ScriptPath 'C:tempresetPassword.ps1' 

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By