0

I wish to be able to automate some PCs I manage. Currently, I use Ansible, but I am not opposed to any other tool.

The goal is to be able to remotely change the password of an individual user account on a Windows 10 machine without the user losing access to their saved credentials in the Credential Manager.

I know that on Windows 10 by design it seems that unless a user themself triggers a command via the CTRL+ALT+DEL Password Change screen, then when the password is changed, the Credentials saved and associated secrets are wiped from existence.

However I am certain I am not the first user to ever want to change a user's password remotely without wanting to scorched earth their Credential Manager and Secrets.

Googling for a few days every combination of the problem I can think of but can't seem to find a reasonable solution.

  1. Would a solution using the "RunAs" command work in an automated way on a headless machine?

  2. If not, is there any way to strip the credential wiping functionality from a user account on password change?

Jibril
  • 967
  • 2
  • 11
  • 29
  • Looks more like a SuperUser question to me, but AFAIK the credential manager uses the current password to encrypt passwords (DPAPI). So when the user changes their password, the credentials are requested using the old password, then re-encrypted using the new password. If you don't know the old password, you can't request them, so they're lost when you forcibly change the password. – CodeCaster Aug 16 '22 at 13:39
  • Thanks @CodeCaster. What about the case where I do know the users password? Can this be done remotely then? As far as I can tell, things like net user and what not do not request the old users password, which is why I was hoping maybe a "RunAs" solution which requests the users credentials may work. – Jibril Aug 16 '22 at 13:58

0 Answers0