Windows Server passwords expire. After a while, your password will not be valid and you must “contact your IT administrator” to reset it manually. But what happens when you is the IT administrator?
The problem
By default, Windows institutions have password expiration enabled. The idea is that you should change your password from time to time (the default is only 42 days) to minimize the impact of security breaches. This is a good idea for large institutions, but if you are just trying to run a Windows Server machine, can be quite annoying.
Even worse, if you are new to Windows hosting, the expiration message may have been missed if you didn't log in recently. By default, there is nothing set up to warn you if you don't log in regularly. Actually, this can completely block you from your account, requiring restarting the server in rescue mode.
Fortunately, it's pretty easy to disable the feature before it becomes a hindrance, and if it got blocked due to password expiration, booting into rescue mode will fix the problem by allowing you to reset the password from outside the operating system.
Fix it early
The way to prevent passwords from expiring is to simply disable them using the Local Users and Groups control panel.. Open it searching lusrmgr.msc in the start or run menus.
Click on “Users” and find your user account. Right click and view properties, and then dial “Password never expires” in settings.
Alternatively, you can do this manually from the command line:
wmic UserAccount where Name="username" set PasswordExpires=False
What to do if you have already been blocked
If it has already been blocked, you may get an error that says “You must change your password before logging in for the first time. Update your password or contact your system administrator “.
Unfortunately, this means that you have probably been locked out unless you can reset the password from another part of your organization. If you don't have external access, this could have cut off your only credentials to enter the server.
Despite this, you may not need RDP credentials. Some server providers offer direct access to KVM, which could allow you to bypass your remote login and change password from there. You must try this first, since there will be no downtime.
Reboot with Win PE
You will need to boot the server into a rescue operating system. Many providers should have this option; as an example, OVH enables you to change the netboot mode to a Windows or Win PE pre-installation environment. This enables you to use tools like NTPWEdit to modify SAM files directly.
To use it, you will need to open the SAM file, unlock the user you want to modify and click on “Change Password”. Enter it twice and click “Save Changes”.
Reset with Linux and chntpw
Alternatively, you could be given a linux based rescue system like rescue64-pro. In this circumstance, you will need to mount the Windows drive and change it manually with chntpw.
List the disks and mount the main partition:
fdisk -l
mount /dev/sda4 /mnt
Browse to the location of the SAM file and run chntpw
cd /mnt/Windows/System32/config
chntpw -l SAM
Later, follow the instructions to remove the password from your account.
You will need to log back in with the blank password and change it to something secure.
