title | description | services | documentationcenter | author | manager | ms.service | ms.collection | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author | ms.custom |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reset a local Windows password without Azure agent |
How to reset the password of a local Windows user account when the Azure guest agent is not installed or functioning on a VM |
virtual-machines |
genlin |
dcscontentpm |
virtual-machines |
windows |
troubleshooting |
vm-windows |
infrastructure-services |
04/25/2019 |
genli |
sap:Cannot connect to my VM |
You can reset the local Windows password of a VM in Azure using the Azure portal or Azure PowerShell provided the Azure guest agent is installed. This method is the primary way to reset a password for an Azure VM. If you encounter issues with the Azure guest agent not responding, or failing to install after uploading a custom image, you can manually reset a Windows password. This article details how to reset a local account password by attaching the source OS virtual disk to another VM. The steps described in this article do not apply to Windows domain controllers.
Warning
Only use this process as a last resort. Always try to reset a password using the Azure portal or Azure PowerShell first.
The core steps for performing a local password reset for a Windows VM in Azure when there is no access to the Azure guest agent is as follows:
- Stop the affected VM.
- Create a snapshot for the OS disk of the VM.
- Create a copy of the OS disk from the snapshot.
- Attach and mount the copied OS disk to another Windows VM, then create some config files on the disk. The files will help you to reset the password.
- Unmount and detach the copied OS disk from the troubleshooting VM.
- Swap the OS disk for the affected VM.
Note
The steps do not apply to Windows domain controllers. It only works on standalone server or a server that is a member of a domain.
Always try to reset a password using the Azure portal or Azure PowerShell before trying the following steps. Make sure you have a backup of your VM before you start.
-
Take a snapshot for the OS disk of the affected VM, create a disk from the snapshot, and then attach the disk to a troubleshoot VM. For more information, see Troubleshoot a Windows VM by attaching the OS disk to a recovery VM using the Azure portal.
-
Connect to the troubleshooting VM using Remote Desktop.
-
Create
gpt.ini
in\Windows\System32\GroupPolicy
on the source VM's drive (if gpt.ini exists, rename to gpt.ini.bak):[!WARNING] Make sure that you do not accidentally create the following files in C:\Windows, the OS drive for the troubleshooting VM. Create the following files in the OS drive for your source VM that is attached as a data disk.
Add the following lines into the
gpt.ini
file you created:[General] gPCFunctionalityVersion=2 gPCMachineExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}] Version=1
:::image type="content" source="media/reset-local-password-without-agent/create-gpt-ini.png" alt-text="Screenshot shows the updates made to the gpt.ini file.":::
-
Create
scripts.ini
in\Windows\System32\GroupPolicy\Machine\Scripts\
. Make sure hidden folders and file name extensions are shown. If needed, create theMachine
orScripts
folders.Add the following lines the
scripts.ini
file you created:[Startup] 0CmdLine=FixAzureVM.cmd 0Parameters=
:::image type="content" source="media/reset-local-password-without-agent/create-scripts-ini.png" alt-text="Screenshot shows the updates made to the script.ini file.":::
-
Create
FixAzureVM.cmd
in\Windows\System32\GroupPolicy\Machine\Scripts\Startup\
with the following contents, replacing<username>
and<newpassword>
with your own values:net user <username> <newpassword> /add /Y net localgroup administrators <username> /add net localgroup "remote desktop users" <username> /add
:::image type="content" source="media/reset-local-password-without-agent/create-fixazure-cmd.png" alt-text="Screenshot shows the newly created FixAzureVM.cmd file where you update the username and password.":::
You must meet the configured password complexity requirements for your VM when defining the new password.
-
In Azure portal, detach the disk from the troubleshooting VM.
-
After the new VM is running, connect to the VM using Remote Desktop with the new password you specified in the
FixAzureVM.cmd
script. -
From your remote session to the new VM, remove the following files to clean up the environment:
- From %windir%\System32\GroupPolicy\Machine\Scripts\Startup
- remove FixAzureVM.cmd
- From %windir%\System32\GroupPolicy\Machine\Scripts
- remove scripts.ini
- From %windir%\System32\GroupPolicy
- remove gpt.ini (if gpt.ini existed before, and you renamed it to gpt.ini.bak, rename the .bak file back to gpt.ini)
- From %windir%\System32\GroupPolicy\Machine\Scripts\Startup
[!INCLUDE classic-vm-deprecation]
Note
The steps do not apply to Windows domain controllers. It only works on standalone server or a server that is a member of a domain.
Always try to reset a password using the Azure portal or Azure PowerShell before trying the following steps. Make sure you have a backup of your VM before you start.
-
Delete the affected VM in Azure portal. Deleting the VM only deletes the metadata, the reference of the VM within Azure. The virtual disks are retained when the VM is deleted:
-
Select the VM in the Azure portal, then click Delete:
:::image type="content" source="media/reset-local-password-without-agent/delete-vm.png" alt-text="Screenshot shows the Delete button in an existing Classic VM page.":::
-
-
Attach the source VM's OS disk to the troubleshooting VM. The troubleshooting VM must be in the same region as the source VM's OS disk (such as
West US
):-
Select the troubleshooting VM in the Azure portal. Click Disks | Attach existing:
:::image type="content" source="media/reset-local-password-without-agent/attach-existing.png" alt-text="Screenshot shows the Attach existing button of the troubleshooting VM.":::
-
Select VHD File and then select the storage account that contains your source VM:
:::image type="content" source="media/reset-local-password-without-agent/select-storage-account.png" alt-text="Screenshot shows the location to select storage account.":::
-
Check the box marked Show classic storage accounts, then select the source container. The source container is typically vhds:
:::image type="content" source="media/reset-local-password-without-agent/show-classic-storage-accounts.png" alt-text="Screenshot shows the Show classic storage accounts option is cleared.":::
:::image type="content" source="media/reset-local-password-without-agent/select-container-vhds.png" alt-text="Screenshot shows the vhds is selected as storage container.":::
-
Select the OS vhd to attach. Click Select to complete the process:
:::image type="content" source="media/reset-local-password-without-agent/select-source-vhd.png" alt-text="Screenshot shows the selected source virtual disk.":::
-
Click Ok to attach the disk
:::image type="content" source="./media/reset-local-password-without-agent/attach-okay.png" alt-text="Screenshot shows the Attach existing disk page, at the bottom of which, there's an OK button.":::
-
-
Connect to the troubleshooting VM using Remote Desktop and ensure the source VM's OS disk is visible:
-
Select the troubleshooting VM in the Azure portal and click Connect.
-
Open the RDP file that downloads. Enter the username and password of the troubleshooting VM.
-
In File Explorer, look for the data disk you attached. If the source VM's VHD is the only data disk attached to the troubleshooting VM, it should be the F: drive:
:::image type="content" source="media/reset-local-password-without-agent/file-explorer-data-disk.png" alt-text="Screenshot shows the F local disk in File Explorer." border="false":::
-
-
Create
gpt.ini
in\Windows\System32\GroupPolicy
on the source VM's drive (ifgpt.ini
exists, rename togpt.ini.bak
):[!WARNING] Make sure that you do not accidentally create the following files in
C:\Windows
, the OS drive for the troubleshooting VM. Create the following files in the OS drive for your source VM that is attached as a data disk.Add the following lines into the
gpt.ini
file you created:[General] gPCFunctionalityVersion=2 gPCMachineExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}] Version=1
:::image type="content" source="media/reset-local-password-without-agent/create-gpt-ini-classic.png" alt-text="Screenshot shows the updates made to the gpt.ini file for Classic VM.":::
-
Create
scripts.ini
in\Windows\System32\GroupPolicy\Machine\Scripts\
. Make sure hidden folders and file name extensions are shown. If needed, create theMachine
orScripts
folders.Add the following lines the
scripts.ini
file you created:[Startup] 0CmdLine=FixAzureVM.cmd 0Parameters=
:::image type="content" source="media/reset-local-password-without-agent/create-scripts-ini.png" alt-text="Screenshot shows the updates made to the scripts.ini file for Classic VM.":::
-
Create
FixAzureVM.cmd
in\Windows\System32\GroupPolicy\Machine\Scripts\Startup\
with the following contents, replacing<username>
and<newpassword>
with your own values:net user <username> <newpassword> /add /Y net localgroup administrators <username> /add net localgroup "remote desktop users" <username> /add
:::image type="content" source="media/reset-local-password-without-agent/create-fixazure-cmd.png" alt-text="Screenshot shows the newly created FixAzureVM.cmd file where you update the username and password for Classic VM.":::
You must meet the configured password complexity requirements for your VM when defining the new password.
-
In Azure portal, detach the disk from the troubleshooting VM:
-
Select the troubleshooting VM in the Azure portal, click Disks.
-
Select the data disk attached in step 2, click Detach, then click OK.
:::image type="content" source="media/reset-local-password-without-agent/data-disks.png" alt-text="Screenshot shows the detached disk in step 2.":::
:::image type="content" source="media/reset-local-password-without-agent/detach-disk.png" alt-text="Screenshot shows the Detach button.":::
-
-
Create a VM from the source VM's OS disk:
:::image type="content" source="media/reset-local-password-without-agent/create-new-vm-from-template.png" alt-text="Screenshot shows the Disk (classic) item.":::
:::image type="content" source="media/reset-local-password-without-agent/choose-subscription.png" alt-text="Screenshot shows the subscriptions.":::
:::image type="content" source="media/reset-local-password-without-agent/create-vm.png" alt-text="Screenshot highlights the Create VM button.":::
-
After the new VM is running, connect to the VM using Remote Desktop with the new password you specified in the
FixAzureVM.cmd
script. -
From your remote session to the new VM, remove the following files to clean up the environment:
- From
%windir%\System32\GroupPolicy\Machine\Scripts\Startup\
- remove
FixAzureVM.cmd
- remove
- From
%windir%\System32\GroupPolicy\Machine\Scripts
- remove
scripts.ini
- remove
- From
%windir%\System32\GroupPolicy
- remove
gpt.ini
(ifgpt.ini
existed before, and you renamed it togpt.ini.bak
, rename the.bak
file back togpt.ini
)
- remove
- From
If you still cannot connect using Remote Desktop, see the RDP troubleshooting guide. The detailed RDP troubleshooting guide looks at troubleshooting methods rather than specific steps. You can also open an Azure support request for hands-on assistance.
[!INCLUDE Azure Help Support]