0

I am creating a VM on the fly with powershell (on ESX with Windows Server 2012 R2). I have most of the automation pieces in place, but when it comes to resetting the Administrator password the first time we login to the VM after provisioning (as a part of windows security policy), I am having a hard time.

I have tried stuff like the following (which didn't work):

[ADSI]$vmAccount="WinNT://$vmName/$vmUserName"
$vmAccount.ChangePassword($current, $new)

It fails by saying:

Exception calling "ChangePassword" with "2" argument(s): 
"The specified network password is not correct.

Any help in pointing me in the right direction is much appreciated.

Mahesh Velaga
  • 21,633
  • 5
  • 37
  • 59

2 Answers2

1

This has worked for me remotely which is something that you can try:

$comp = <computer>
$user = <Username here>
$pass = <New password here>
("WinNT://$comp/$user/").SetPassword($pass)

If that doesnt work you may want to check on the security policy and see if the password matches the security policy, powershell errors can sometimes be incredibly bland.

Bluecakes
  • 2,069
  • 17
  • 23
0

The error Exception calling "ChangePassword" with "2" argument(s): "The specified network password is not correct. is due to the symobls in your password. For example, if you have "$" in your password, PoweShell takes it as a variable.

In PowerShell, the dollar sign $ is used to reference variables. When you have a password with a dollar sign, PowerShell might interpret it as a variable and try to replace it with the value of the variable, leading to unexpected behavior.

To prevent PowerShell from interpreting the dollar sign as a variable, you can use single quotes (') instead of double quotes (") when defining the password in the script. Single quotes prevent variable expansion, and the dollar sign will be treated as a literal character.

In your case you need to read the password in a secure string and then convert it to plaintext to set the password like below:

$username = Read-Host -Prompt "Enter the AD user's username"

$domainController = "foo.example.local" #You can also provide IP of DC

$currentPassword = Read-Host -Prompt "Enter the current password" -AsSecureString

# Convert the secure string for current password to plain text
$plainCurrentPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($currentPassword))

$newPassword = Read-Host -Prompt "Enter the new password" -AsSecureString

# Convert the secure strings to plain text
$plainNewPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($newPassword))

[ADSI]$useraccount="WinNT://$domainController/$username"

$useraccount.ChangePassword($plainCurrentPassword, $plainNewPassword)

Or in a simple way to understand how it works with plain text see below (not recommended as it stores your password as text): $user.ChangePassword('$abcd1234', '$qwerty1234')

Ssri
  • 1
  • 2