2

I have a modified version of this PowerShell script: https://social.technet.microsoft.com/Forums/scriptcenter/en-US/355d9293-e324-4f60-8eed-18bcc6d67fc0/adsiwinntcomputeradministratoruser-with-alternate-credentials?forum=ITCG

It fails when trying to change the password for an account with a first logon requirement (which I can change the password manually using the ctrl+alt+del prompt, but will be running this often for VM testing on image). The part that matters is:

Invoke-Command -ComputerName $ComputerName -Credential $Credential -ErrorVariable e -ArgumentList $ComputerName,$NewPassword,$User -ScriptBlock {
            Param($ComputerName,$NewPassword,$User)
            $Account = [ADSI]"WinNT://$ComputerName/$User,user"
            $Account.PwdLastSet = 0
            $Account.SetInfo()
            $Account.SetPassword($NewPassword)
            $Account.SetInfo()
            $e
        }

When I run this for an account that does not require change at first logon it completes successfully: 

> Change-LocalPassword -User 'TestAccount' -Credential $wincred -OldPassword $OP -NewPassword $NP -ComputerName $computerName
Info::Change-LocalPassword::Changing password from <old> to <new>
Info::Change-LocalPassword::Service WinRM is already running on Localhost
Info::Change-LocalPassword::Trusted Hosts Value is: <computer>
Info::Change-LocalPassword Invoking Command: [adsi]WinNT://<computer>/TestAccount,user
True

When running for the account requiring first logon:

Change-LocalPassword -User $Config.win_user -Credential $wincred -OldPassword $Config.winog_passwd -NewPassword $Config.win_passwd -ComputerName $computerName
Info::Change-LocalPassword::Changing password from <old> to <new>
Info::Change-LocalPassword::Service WinRM is already running on Localhost
Info::Change-LocalPassword::Trusted Hosts Value is: <computer>
Info::Change-LocalPassword Invoking Command: [adsi]WinNT://<computer>/<user>,user
[computer] Connecting to remote server <computer> failed with the following error message : Access is denied. For more information, see
the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (<computer>:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
-Message Error::Change-LocalPassword::Could not set password for <user> on <computer> [computer] Connecting to remote server <computer> failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
False

The local admin account is the only account on the machine, and it is not domain joined. Has anyone else encountered this and identified a resolution?

user5505180
  • 23
  • 1
  • 4

1 Answers1

1

Add a password never expired userflag:

$Account = [ADSI]"WinNT://$ComputerName/$User,user"
        $Account.UserFlags = 65536
        $Account.PwdLastSet = 0
        $Account.SetInfo()
        $Account.SetPassword($NewPassword)
        $Account.SetInfo()

if you want to add "user can't change password" as well, replace the above line with this one:

$Account.UserFlags = 64 + 65536
Avshalom
  • 8,657
  • 1
  • 25
  • 43
  • It seems that I am in somewhat of a circular dependency. The only account on the machine is the account whose password I am attempting to change. Doing a simple invoke command fails with access denied using the credentials (assuming because the password must first be changed): – user5505180 Oct 30 '15 at 18:01
  • `PS D:\projects\windows-cloudify> Invoke-Command -ComputerName $computerName -Credential $wincred -ScriptBlock { ls c:\TEMP } [computer] Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (computer:String) [], PSRemotingTransportException + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken` – user5505180 Oct 30 '15 at 18:05