If you are a Windows Server administrator, you may be aware of the fact that passwords can expire. This is because passwords are used to access various systems on your network, and if they expire, users may not be able to log in or access their systems. There are a few ways to disable password expiration in Windows Server:
- Use the netsh command to disable password expiration for all users on your server. This will prevent any user from having their passwords expire.
- Use the gpedit tool to manage password expiration for specific users on your server. This will allow you to set a specific time period for when their passwords will expire and require them to re-enter their password if they forget it.
- Use the wmic command to list all active Password Expiration Policies on your server. You can see which policies have been set for which users, and you can change or add new policies as needed.
Windows Server passwords expire. After a while, your password will be invalid, and you will need to “contact your IT administrator” to reset it manually. But what happens when you are the IT administrator?
The Problem
By default, Windows Organizations have password expiration turned on. The idea is that you must change your password every so often (The default is only 42 days.) to minimize the impact of security breaches. This is a good idea for large organizations, but if you’re just trying to run a machine with Windows Server, it can be quite annoying.
Even worse, if you’re new to Windows hosting, you might have missed the prompt about it expiring if you didn’t log in recently. By default, nothing is set up to warn you if you don’t sign in regularly. This can actually completely lock you out of your account, requiring a server restart into rescue mode.
Luckily, it’s pretty easy to turn off the feature before it’s a problem, and if you did get locked out by password expiration, booting into rescue mode will fix the issue by allowing you to reset the password from outside of the operating system.
Fixing It Early
The way to prevent passwords from expiring is to just disable them using the Local Users and Groups control panel. Open it up by searching for lusrmgr.msc in the start or run menus.
Click on “Users” and find your user account. Right-click and view properties, and then check “Password Never Expires” under the settings.
Alternatively, you can do this manually from the command line:
What to Do If You’ve Already Been Locked Out
If you’ve already been locked out, you might be getting an error that says “You must change your password before logging on for the first time. Please update your password or contact your system administrator.”
Unfortunately, this means that you’ve probably been locked out unless you’re able to reset the password from elsewhere in your organization. If you don’t have outside access, this might have just cut off your only credentials for access to the server.
You might not need RDP credentials, though. Some server providers offer direct KVM access, which could allow you to bypass your remote login and change the password from there. You should try this first, as it will result in no downtime.
Resetting with Win PE
You will need to boot the server into a rescue operating system. Many providers should have this option—for example, OVH allows you to change the netboot mode to a Windows Preinstallation Environment, or Win PE. This allows you to use tools like NTPWEdit to modify SAM files directly.
To use it, you’ll need to open the SAM file, unlock the user that you want to modify, and click “Change Password.” Enter it twice and click “Save Changes.”
Resetting with Linux and chntpw
Alternatively, you could be given a Linux-based rescue system like rescue64-pro. In this case, you’ll need to mount the Windows drive and change it manually with chntpw.
List the disks and mount the main partition:
Navigate to the location of the SAM file and run chntpw
Then, follow the prompts to clear the password for your account.
You’ll need to log back in with the blank password and change it to something secure.
