Came across an interesting situation this morning and thought I would drop the solution I found here incase anyone else needs to figure this out.
Situation:
- Active Driectory Domain Controller in an Azure VM
- Your admin account has an expired password
- RDP’ing to the machine says your password is expired and you need to set a new one, but it keeps prompting you around in the circle that you need to udpate it … but you can’t.
The first thing you will likely try is the Reset Password option in the Azure portal. It doesnt work for Domain Controllers (this changed recently … no idea why). You get an error message that says:
VMAccess Extension does not support Domain Controller
At this point you start trying to figure out if there is another admin account you can use to log in with. In my case this as a dev/test AD box and it only had the one admin account on it.
Solution:
Before you go and delete the VM and build up a new one I found an interesting way to fix this.
Updated 5/20/2021: The new way to run PowerShell via the admin portal makes things really simple.
- Go to the VM in the azure portal
- Click Run Command in the left hand navigation
- Choose “RunPowerShellScript” from the options
- Paste in the following PowerShell (obviously replace the username and password you want to set)
net user <YouAdminUserName> <YourNewPassword>
Then click Run and let the script run for a while and when it is complete your password will be reset correctly.
Old way to do it:
You can use the azure portal and a VM extension to upload and run a script on the machine to reset the password for you. Here is how you do it.
- Create a script called “ResetPassword.ps1”
- Add one line to that script
net user <YouAdminUserName> <YourNewPassword>
- Go to the VM in the azure portal
- Go into the extensions menu for that VM
- In the top mentu pick “Add”
- Choose the Custom Script extension
- Click Create
- Pick your ResetPassword.ps1 script file
- Ok
Wait for the extension to be deployed and run. After a while you will see the status that looks something like this:
You should be set to RDP into your machine again with the new password you set in the script file.
I have no idea why the reset password functionality in Azure decided to exclude AD DCs … but if you get stuck i hope this helps.
-CJ
Pingback: Resetting a password when "reset password" doesn't work in the portal. - How to Code .NET
You saved my day .
Thanks a lot Chris. This article solved my problem. Although I had to reactivate an account and not reset the password, the process with the extension and the PowerShell script was exactly the same. Cheers, Kevin
Pingback: MS Cloud Show – Episode 240 | New Microsoft Support for Startups along with Azure and SharePoint News - Collab365 Community
Hello Chris,
Thanks, it’s a right solution and it save time.
Amazing! Worked like a charm, thank you! <3
Dude, you are awesome! I had this exact issue and I’m now back in 🙂
Thanks Chris! This worked perfect for me in a desperate situation!
Don’t forget to ask for your beer when you are in Germany (Frankfurt area)
Regards, Jörg
Just wanted to thank you. Saved me from wiping out my whole lab. Not to mention the countless hours before getting to that point not giving up on finding a solution.
You’re the man!
OMG you saved me, you really really saved me.
This works! Perfect! Thanks a lot
This doesn’t work for me. my script is good but it doesn’t run with admin rights on the VM and fails?
You my friend, are a LEGEND. I can’t tell you how grateful I am. Cheers.
I tried doing via Custom script extensions of Azure portal, but unable to reset the password.
net user powershell script
Could you please confirm if there’s something missing.
net user
Thank you.
I had similar situation – Dev/Test setup + DC + Single User (Domain Admin) + Expired Password.
Saved quite a hassle.
After promoting a machine to DC can we still use local admins? In my case I cannot even find the local admin in the users list. Neither can I use the local admin userid/pwd to login. Then I found quite a few articles that says after DCPromo the machine doesn’t use local user db. Hence I am getting confused how you were able to login using local account on a DC machine. Could you please clarify?
You Sir have saved me an awful amount of time. I was ready to rebuild my ad.
Thank you so much.
Wow, thanks a million. That was quick and straight.
Ty Ty Ty!
Kudos to you!
Great idea! I was locked out of my domain controller, and it saved a lot of time recreating the VM and its configuration.
Thank you so much for this solution! Really saved me a significant amount of work.
This did the trick- thank you so much. Microsoft’s support couldn’t help on this one.
You sir, are a genius!
Thank you!
Solved a months old problem in 5 minutes 🙂
You sir, are a genius. Saved my day.
This is exactly what I needed! Thank you! Your post was the first one that came up in my search.
Simple solution to one hell of a problem. Thank you very much.
But how did I even get there and how do I prevent this in the future? What causes the password reset to fail on my VM?
Hi Chris,
looks like azure doesn’t support this method anymore. I faced a similar issue and tried resetting it with the customscriptextension as mentioned but that failed. What did work for me is adding a local admin remotely via powershell.
Create a poweshell script to create a local user and add user to local admin group:
net user userName Password /add
net localgroup Administrators userName /add
Connect-AzAccount
Set-AzContext -SubscriptionId ‘you subscription id’
Invoke-AzVMRunCommand -ResourceGroupName ‘yourResourceGroupName’ -Name ‘vmName’ -CommandId ‘RunPowerShellScript’ -ScriptPath ‘C:tempresetPassword.ps1’
Great one… thanks for the solution, Chris!!
Thanks a lot, saved the day in my test lab!
HI ,
Thanks, saved my day,
only one addition to what is written above,
currently azure does not allow using a script from your own machine,
the script needs to be placed in azure, meaning uploading the file script created to blob storage or similar location in order to reference it as a valid script.
cheers
Mark
Thanks Mark and Chris.
This worked for me by using the Blob storage and adding the custom script
Same problem in 2020. The above solution no longer works. Azure is a Beta experience. Bring back traditional infrastructure (and our jobs!!!)
THANK-YOU SO MUCH!!! Just saved me a massive headache! I also had to add the script to the blob storage first but it ran really quickly and I was able to get back into the server via Bastion
Life saver. Saved me hours.
Life Saving !!!!! Thank you so much
I executed the command as mentioned above:
net user
The output:
The command completed successfully.
But when I try to connect via RDP with the new password, the following message appears:
“Logon attempt failed”
What is missing? It looked like it had worked.
this saved me today, thank you!
Hello,
if you have DC and member server joined to your own ADDS (not Azure AD), and you only have access through Bastion (RDP) than you need to run the command on a DC VM and use the syntax:
NET USER /DOMAIN “username” “newpassword”
It takes almost 40 sec to run and it works fine.
Red.
Thank a lot, this article save my day !!!
I certainly owe you a few drinks my friend!!
This post is still helping lives in 2022.
Thank you Chris
15/05/2023
Worked on a Server 2019 DC, like a charm.
On VM left hand side select Run Command Blade under Operations. Select Run PowerShell Script!
Thank you!