One DBA's Ongoing Search for Clarity in the Middle of Nowhere


*or*

Yet Another Andy Writing About SQL Server

Monday, May 23, 2016

How Do I Change My Domain Password on Windows Server 2012?

As a DBA I spend a lot of time in RDP sessions, both to SQL Servers and to "jump"/pass-through servers on client domains.  Most clients (unfortunately not all of them - security is important, people!) have some variant of password expiration in their domains requiring regular password changes every 30/90/180 days.

Prior to Windows Server 2012, this was relatively straightforward - in the Start Menu select "Windows Security" (sometime hidden under Administrative Tools>>Windows Security):


...which then gives you a friendly menu where you can choose to "Change A Password":



Easy right?

** Often unknown tip - from the Change Password Prompt:



You can edit the top line to any account to which you have access - your accounts in other domains (assuming there is access to domain controllers in the other domain) or even other accounts altogether!  Even though I am logged into the above server as DOMAIN\agalbraith, I could modify the line to change the password for SOMEOTHERDOMAIN\agalbraith or DOMAIN\SQLServiceAccount,

--

The catch to all of this is that in Windows Server 2012, the easy method...went away.  How could they do that???

https://themuseletter.files.wordpress.com/2014/11/61225_bill-gates-shrug.jpg

The Windows Security box is Dead....Long Live the Windows Security box!

--

Here are three different ways to get to the same screen in Windows Server 2012.  These three methods work in Windows Server 2008 and 2008 R2 as well, so once you get used to one of them you can use it on your old servers as well.

http://cache.gawker.com/assets/images/gizmodo/2009/08/old_pc.jpg
Maybe not *that* old....

--

The first method is the one I have known for a long time, and is very simple.  Instead of CTRL-ALT-DEL, use CTRL-ALT-END.  Most of the time, this takes you to the same prompt screen as we saw above:


--

The second method is a little more involved, but useful - and I have been in at least three situations where I *had* to use it - once when there was a keyboard mapping error in the RDP session (something I have only ever experienced once) and twice where I was several layers deep in RDP (RDP to RDP to RDP).  I found this method at http://www.tomshardware.com/answers/id-1629393/change-password-ctrl-alt-del-rdp-rdp.html.

From a command prompt, type osk to bring up the On-Screen Keyboard (something I didn't know even existed at the time):


With the OSK up, press CTRL and ALT on your actual physical keyboard, and then click DEL on the OSK (CTRL-ALT-DEL all on the OSK just functions like a regular CTRL-ALT-DEL):



BOOYAH!

--

The third method was recently offered up by a member of the team here at Ntirety, Mike Skaff.  It is one more example of #YouCanDoAnythingWithPowerShell.

I don't know where Mike found it, but I was able to find references in a couple of places, including http://wiki.mundy.co/Change_password_on_Remote_Desktop_Server_2012

From a PowerShell prompt, enter the following:
(New-Object -COM Shell.Application).WindowsSecurity()

Sure enough:


Like the OSK method above, this PowerShell method works from RDP in RDP in RDP as well - and it's PowerShell!

--

Hope this helps!


2 comments: