Windows Server passwords expire. After some time, your password will be invalid and you will have to “contact your IT administrator” to reset it manually. But what happens when you are the IT administrator?
By default, Windows organizations have enabled password expiration. The idea is that you should change your password every now and then (the default is only 42 days) to minimize the impact of security breaches. It’s a good idea for large organizations, but if you’re just trying to run a machine with Windows Server, it can be pretty boring.
Worse yet, if you’re new to Windows hosting, you might have missed the prompt when it expired if you haven’t signed in recently. By default, nothing is configured to notify you if you do not log in regularly. This can actually lock you out of your account completely, requiring a restart of the server in rescue mode.
Fortunately, it’s easy enough to turn off the feature before it becomes a problem, and if you’ve been blocked by password expiration, booting into rescue mode will fix the problem by allowing you to reset the password. happens from outside the operating system.
The way to prevent passwords from expiring is to simply disable them using the Local Users and Groups control panel. Open it by searching lusrmgr.msc in the start or run menus.
Click on “Users” and search for your user account. Right click and view the properties, then check “Password never expires” in the settings.
Alternatively, you can do it manually from the command line:
wmic UserAccount where Name="username" set PasswordExpires=False
What to do if you’ve ever been locked out
If you’ve been locked out before, you might receive an error stating “You must change your password before logging in for the first time. Please update your password or contact your system administrator.
Unfortunately, that means you’ve probably been locked out unless you can reset the password from somewhere else in your organization. If you don’t have outside access, maybe that just cut off your only credentials to access the server.
However, you might not need RDP credentials. Some server vendors offer direct KVM access, which may allow you to bypass your remote connection and change the password from there. You should try this first, as it won’t cause any downtime.
Reset with Win PE
You will need to start the server in a standby operating system. Many vendors should have this option, for example, OVH allows you to change the network boot mode to a Windows or Win PE preinstallation environment. This allows you to use tools like NTPWEdit to directly edit SAM files.
To use it, you will need to open the SAM file, unlock the user you want to change and click “Change Password”. Enter it twice and click “Save changes”.
Reset with Linux and chntpw
Alternatively, you could receive a Linux based rescue system like
rescue64-pro. In this case, you will have to mount the Windows drive and modify it manually with
List the disks and mount the primary partition:
fdisk -l mount /dev/sda4 /mnt
Navigate to the location of the SAM file and run
cd /mnt/Windows/System32/config chntpw -l SAM
Then follow the prompts to clear your account password.
You will need to log back in with the blank password and replace it with a secure password.