Recently discovered the hard way / another “learn from my mistakes” moment:
You have an Azure virtual machine and conspire to lose the local machine’s administrator account password.
The good news: Azure provides a few different ways to create a new administrator account, using Windows Powershell and the new portal.
The bad news: You have to create a new administrator account. And the old admin account will be deleted.
This was the missing link in the multiple examples I found, via Google, for recovering Remote Desktop Connection access to an Azure VM.
So, if you need to reset the administrator account when you lose your Azure IaaS VM password, the key thing to remember is: The old admin account will be deleted. Lost, forever. You must create a brand-new account.
And that means you will need to go through your virtual machine, after the new account is created, and update any scheduled tasks, file or network / folder permissions or the like, etc., that rely on your old admin account.
Replacement, Not Repair
In my case, I tried repeatedly to have the new portal reset the password for my existing account, only to have it report failure repeatedly. Then, I noticed the Password reset blade specifically said I needed to create a new username and password.
As in, password resets are not allowed. Only removing the old local machine admin account, created when I first provisioned the machine, and replacing it with a completely new account, would work.
Fortunately, this is only true of the account you used when spinning up the machine. So, if you have several local admin accounts on your Azure VM, the others will remain intact; only the local admin account used to provision the machine will be deleted.
Of course, if you have several local admin accounts on the box, one would assume you remembered the password to at least one of those accounts, so this would be a moot point; just RDC in under one of the other admin accounts and reset the provisioned local admin account’s password.
Assuming you have just the provisioning local admin account, once you lose its password, you are effectively saying goodbye forever to that account, and replacing it with an entirely new one.
New Portal Password Resets: Stand By To Wait
In my case, I successfully replaced my admin user via the new Azure Portal, following Microsoft’s specific guidance:
- Log in to the new portal and click Browse All.
- Click Virtual Machines (classic) and then select the VM to which you lost access.
- In that VM’s blade, click the “Reset remote access” button.
- Pick up “War and Peace” and start reading. This is going to take a while.
- Once the portal indicates the reset is complete, click the Settings icon in the VM’s blade.
- In the Settings blade, click Password reset.
- Provide a new admin account username and password for that new user.
- Click Password reset.
- Pick up where you left off in “War and Peace.” (If you lost your place, you were probably around the point where the Battle of Borodino was winding up.)
- When the portal reports success, click the Connect button in the VM’s blade and you should be able to RDC into your VM.
Again, this is replacing the old local administrator account with a brand-new account. The admin user account you used to provision the machine will be deleted. A new local admin will be created with the username and password you provided.
You cannot recycle the current local admin account username. You must create a brand-new username.
It will take quite some time for the portal to reset your password; upward of 15 minutes or so, anyway, when I did it.
However, once you are done you will be able to RDC into your VM again. Which you will almost certainly want to do, since you will likely need to change anyplace where admin account permissions were in use, from the old admin account to the new admin account.
PowerShell Didn’t Work Well For Me
Microsoft’s instructions include two versions for accomplishing this same task via PowerShell. Neither worked for me.
I tried the older set of PowerShell instructions, and ran into all sorts of problems, not the least of which was that I did a terrible job of typing what was there, and my cutting and pasting from the web browser to the PowerShell terminal wasn’t much better.
And as I noted before, initially I wasn’t creating a new account, I was trying to overwrite the old account’s password, which is not possible.
Even so, I could not get the long block of PowerShell code to work; it brought up the selector window that let me pick my machine, but every time I selected it, I got an error message saying the PowerShell code was somehow malformed.
So I switched over to the new PowerShell instructions, which actually use the Windows PowerShell ISE in administrator mode.
At first, I was warned that the command was attempting to downgrade the VMAgent on my virtual machine:
Update-AzureVM : BadRequest: Cannot downgrade resource extension reference VMAccessAgent, from version 2.0, to version 1.0.3 ,for Role: xxxxxxx
I noted, in the documentation for Set-AzureVMAccessExtension, that I could specify a version, and tried that. However, that created a brand-new error message:
Update-AzureVM : BadRequest: Invalid update to extension reference for role: xxxxxxx and reference: VMAccessAgent
So I flirted with the idea of uninstalling the agent altogether, but that seemed like the thermonuclear option; instead, I went back to the preview portal, fiddled around some, finally read the instructions on the password reset blade, and was back into the VM within 20 minutes.
All links in this post on delicious: https://delicious.com/dougvdotcom/lost-azure-vm-passwords-youll-need-a-new-account