Domain Controller in Azure VM with expired password

Came across an interesting situation this morning and thought I would drop the solution I found here incase anyone else needs to figure this out.

Situation:

  • Active Driectory Domain Controller in an Azure VM
  • Your admin account has an expired password
  • RDP’ing to the machine says your password is expired and you need to set a new one, but it keeps prompting you around in the circle that you need to udpate it … but you can’t.

The first thing you will likely try is the Reset Password option in the Azure portal. It doesnt work for Domain Controllers (this changed recently … no idea why). You get an error message that says:

VMAccess Extension does not support Domain Controller

At this point you start trying to figure out if there is another admin account you can use to log in with. In my case this as a dev/test AD box and it only had the one admin account on it.

Solution:

Before you go and delete the VM and build up a new one I found an interesting way to fix this.

Updated 5/20/2021:  The new way to run PowerShell via the admin portal makes things really simple. 

  • Go to the VM in the azure portal
  • Click Run Command in the left hand navigation
  • Choose “RunPowerShellScript” from the options
  • Paste in the following PowerShell (obviously replace the username and password you want to set)

net user <YouAdminUserName> <YourNewPassword>

Then click Run and let the script run for a while and when it is complete your password will be reset correctly.

Old way to do it: 

You can use the azure portal and a VM extension to upload and run a script on the machine to reset the password for you. Here is how you do it.

  • Create a script called “ResetPassword.ps1”
  • Add one line to that script

net user <YouAdminUserName> <YourNewPassword>

  • Go to the VM in the azure portal
  • Go into the extensions menu for that VM
  • In the top mentu pick “Add”
  • Choose the Custom Script extension

  • Click Create
  • Pick your ResetPassword.ps1 script file
  • Ok

Wait for the extension to be deployed and run. After a while you will see the status that looks something like this:

You should be set to RDP into your machine again with the new password you set in the script file.

I have no idea why the reset password functionality in Azure decided to exclude AD DCs … but if you get stuck i hope this helps.

-CJ

44 thoughts on “Domain Controller in Azure VM with expired password

  1. Pingback: Resetting a password when "reset password" doesn't work in the portal. - How to Code .NET

  2. Kevin Suter

    Thanks a lot Chris. This article solved my problem. Although I had to reactivate an account and not reset the password, the process with the extension and the PowerShell script was exactly the same. Cheers, Kevin

    Reply
  3. Pingback: MS Cloud Show – Episode 240 | New Microsoft Support for Startups along with Azure and SharePoint News - Collab365 Community

  4. Jörg Wilke

    Thanks Chris! This worked perfect for me in a desperate situation!

    Don’t forget to ask for your beer when you are in Germany (Frankfurt area)

    Regards, Jörg

    Reply
  5. RD

    Just wanted to thank you. Saved me from wiping out my whole lab. Not to mention the countless hours before getting to that point not giving up on finding a solution.

    You’re the man!

    Reply
  6. eric

    This doesn’t work for me. my script is good but it doesn’t run with admin rights on the VM and fails?

    Reply
  7. Maneesh

    I tried doing via Custom script extensions of Azure portal, but unable to reset the password.
    net user powershell script

    Could you please confirm if there’s something missing.

    Reply
  8. Madars Šmits

    Thank you.
    I had similar situation – Dev/Test setup + DC + Single User (Domain Admin) + Expired Password.
    Saved quite a hassle.

    Reply
  9. Shas

    After promoting a machine to DC can we still use local admins? In my case I cannot even find the local admin in the users list. Neither can I use the local admin userid/pwd to login. Then I found quite a few articles that says after DCPromo the machine doesn’t use local user db. Hence I am getting confused how you were able to login using local account on a DC machine. Could you please clarify?

    Reply
  10. Mark Diodati

    Great idea! I was locked out of my domain controller, and it saved a lot of time recreating the VM and its configuration.

    Reply
  11. Mike Boggs

    This did the trick- thank you so much. Microsoft’s support couldn’t help on this one.

    Reply
  12. Roy

    Simple solution to one hell of a problem. Thank you very much.
    But how did I even get there and how do I prevent this in the future? What causes the password reset to fail on my VM?

    Reply
  13. Ashish Chettri

    Hi Chris,

    looks like azure doesn’t support this method anymore. I faced a similar issue and tried resetting it with the customscriptextension as mentioned but that failed. What did work for me is adding a local admin remotely via powershell.

    Create a poweshell script to create a local user and add user to local admin group:

    net user userName Password /add

    net localgroup Administrators userName /add

    Connect-AzAccount

    Set-AzContext -SubscriptionId ‘you subscription id’

    Invoke-AzVMRunCommand -ResourceGroupName ‘yourResourceGroupName’ -Name ‘vmName’ -CommandId ‘RunPowerShellScript’ -ScriptPath ‘C:tempresetPassword.ps1’

    Reply
  14. Mark

    HI ,

    Thanks, saved my day,

    only one addition to what is written above,

    currently azure does not allow using a script from your own machine,

    the script needs to be placed in azure, meaning uploading the file script created to blob storage or similar location in order to reference it as a valid script.

    cheers
    Mark

    Reply
  15. Nathan A

    Same problem in 2020. The above solution no longer works. Azure is a Beta experience. Bring back traditional infrastructure (and our jobs!!!)

    Reply
  16. Archie Darcy

    THANK-YOU SO MUCH!!! Just saved me a massive headache! I also had to add the script to the blob storage first but it ran really quickly and I was able to get back into the server via Bastion

    Reply
  17. Raul

    I executed the command as mentioned above:
    net user
    The output:
    The command completed successfully.

    But when I try to connect via RDP with the new password, the following message appears:
    “Logon attempt failed”
    What is missing? It looked like it had worked.

    Reply
  18. Red

    Hello,
    if you have DC and member server joined to your own ADDS (not Azure AD), and you only have access through Bastion (RDP) than you need to run the command on a DC VM and use the syntax:
    NET USER /DOMAIN “username” “newpassword”
    It takes almost 40 sec to run and it works fine.

    Red.

    Reply
  19. Deeptha Madhuranga

    15/05/2023
    Worked on a Server 2019 DC, like a charm.

    On VM left hand side select Run Command Blade under Operations. Select Run PowerShell Script!

    Thank you!

    Reply

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.