Windows Server passwords expire. After a while, your password will be invalid and you will need to “contact your IT administrator” to reset it manually. But what happens when? you are the IT administrator?
By default, Windows organizations have password expiration enabled. The idea is that you should change your password every so often (the default is only 42 days.) to minimize the impact of security breaches. This is a good idea for large organizations, but if you̵
Worse, if you’re new to Windows hosting, you may have missed the expiration prompt if you haven’t logged in recently. There is nothing set by default to warn you if you do not log in regularly. This can even lock you out of your account completely, forcing the server to reboot into rescue mode.
Fortunately, it’s fairly easy to disable the feature before it becomes a problem, and if you were locked out by password expiration, booting into rescue mode will solve the problem by allowing you to reset the password from outside the operating system.
The way to prevent passwords from expiring is to simply disable them from the Local Users and Groups control panel. Open it by searching for lusrmgr.msc in the start or run menus.
Click on “Users” and find your user account. Right click and view properties and then check “Password never expires” under the settings.
You can also do this manually from the command line:
wmic UserAccount where Name="username" set PasswordExpires=False
What to do if you are already locked out?
If you’ve already been locked out, you may get an error message that reads “You must change your password before logging in for the first time. Please update your password or contact your system administrator.”
Unfortunately, that means you’re probably locked out unless you can reset the password elsewhere in your organization. If you don’t have access from outside, it may have broken your only login credentials to access the server.
However, you may not need RDP credentials. Some server providers offer direct KVM access, allowing you to bypass your remote login and change the password from there. You should try this first as it will not cause any downtime.
Reset with Win PE
You must boot the server into a rescue operating system. Many providers should have this option. For example, OVH allows you to change the netboot mode in a Windows Preinstallation Environment or Win PE. It allows you to use tools like NTPWEdit to directly modify SAM files.
To use it, you need to open the SAM file, unlock the user you want to change and click on ‘Change password’. Enter it twice and click ‘Save changes’.
Resetting with Linux and chntpw
Alternatively, you could get a Linux based rescue system like:
rescue64-pro. In this case, you need to mount the Windows drive and change it manually with change
List the drives and mount the main partition:
fdisk -l mount /dev/sda4 /mnt
Navigate to the location of the SAM file and enter . from
cd /mnt/Windows/System32/config chntpw -l SAM
Then follow the prompts to clear the password for your account.
You need to log in again with the empty password and change it to something more secure.