Regaining Access to Azure VM with Expired Password
Scrum Masters

Regaining Access to Azure VM with Expired Password

& #13;. .

Recently I have actually been doing some try outs Active Directory site and obviously I’m running my laboratory environment in Azure. It works excellent, up until after 42 days the password of the one and just user account (mine) in the domain ends. Azure just supplies remote desktop access to virtual devices, and in a default setup it’s difficult to alter the password over rdp once the password has actually ended.

In all contemporary versions of remote desktop, the user authentication is done throughout the connection stage. This is called NLA: Network Level Authentication It indicates the user name and password is gone into in the Rdp customer, as part of the connection setup. Not like in the old days where the remote desktop would appear and provide the very same user name and password trigger as if one were in fact sitting at the physical console. In the old days, the remote server might reveal a password ended message and require a password reset prior to the logon was accepted. With NLA, that simply does not work. So what we require to do is to disable NLA, without visiting to the remote device.

To disable NLA, we require to do that on both the customer and the server. On the customer, it’s relatively easy, although it can’t be carried out in the UI.

  1. Open the remote desktop customer, fill in the host name and conserve the connection settings.
  2. Open the rdp file in a full-screen editor and include a line enablecredsspsupport: i:0 at the top
  3. Conserve the file and double click it to open the remote desktop customer.

If you attempt to link now, you’ll get a mistake message that the server needs NLA. So to continue, we require to disable that on the server.

Thanks Russel Smith for the information on how to utilize WMI to do this.

Disabling the NLA requirement on the server is typically simply an untreated checkbox in the system residential or commercial properties. However that will not work when we’re currently locked out of the device. So we require to access the device and in some way alter the setting. It ends up that can be made with WMI. When I did this, I utilized another VM on the very same virtual network. However I presume it would work directly from the Web if the needed ports are opened in the Network Security Group related to the VM.

From the other VM, run the following commands in a powershell Window, with the IP number being the internal IP of the server you’re locked out of and DOMAINUSERNAME being the domain/user details (set the computer system name as domain if it is not a domain signed up with computer system).

$ wmi  = ( Get-WmiObject - class Win32_TSGeneralSetting - Namespace rootcimv2terminalservices - ComputerName - Filter " TerminalName=" RDP-tcp"" - Credential DOMAINUSERNAME)
$ wmi
$ wmi SetUserAuthenticationRequired( 0)

The 2nd line, $wmi(* )simply prints out the present settings prior to changing them. Now you can utilize the ready rdp file and go to to the server. Keep in mind how there is no password timely prior to the Rdp session is being released, rather the log in timely is shown inside the Rdp session. From this location, the reset password timely works.

Lastly it’s time to re-enable security. On the customer, simply erase the developed rdp file. On the server, you can do that by returning to the powershell window on the other VM:

$ wmi

 SetUserAuthenticationRequired( 1)$ wmi.SetUserAuthenticationRequired( 1 )
. . . .