Windows Server 2012 and Windows 8.1 include a feature that allows passwords to expire after a set period of time. This can be helpful in preventing users from using the same password across multiple accounts, but it can also be problematic if passwords are not changed regularly. To disable password expiration, open the Server Manager console and click “Password Settings.” In the “Password Settings” dialog box, select “Accounts with Password Expiration” and then click the “Edit…” button. In the “Edit Account Settings” dialog box, under “Password Policy,” select “Never expire passwords.” Click OK to save your changes. If you need to reset a user’s password, you can do so by clicking the user’s name in Active Directory Users and Computers and then clicking Properties. Under the User Profile tab, click Change Password. Enter the new password in the New Password field and then click OK to save your changes. ..
Windows Server passwords expire. After a while, your password will be invalid, and you will need to “contact your IT administrator” to reset it manually. But what happens when you are the IT administrator?
The Problem
By default, Windows Organizations have password expiration turned on. The idea is that you must change your password every so often (The default is only 42 days.) to minimize the impact of security breaches. This is a good idea for large organizations, but if you’re just trying to run a machine with Windows Server, it can be quite annoying.
Even worse, if you’re new to Windows hosting, you might have missed the prompt about it expiring if you didn’t log in recently. By default, nothing is set up to warn you if you don’t sign in regularly. This can actually completely lock you out of your account, requiring a server restart into rescue mode.
Luckily, it’s pretty easy to turn off the feature before it’s a problem, and if you did get locked out by password expiration, booting into rescue mode will fix the issue by allowing you to reset the password from outside of the operating system.
Fixing It Early
The way to prevent passwords from expiring is to just disable them using the Local Users and Groups control panel. Open it up by searching for lusrmgr.msc in the start or run menus.
Click on “Users” and find your user account. Right-click and view properties, and then check “Password Never Expires” under the settings.
Alternatively, you can do this manually from the command line:
What to Do If You’ve Already Been Locked Out
If you’ve already been locked out, you might be getting an error that says “You must change your password before logging on for the first time. Please update your password or contact your system administrator.”
Unfortunately, this means that you’ve probably been locked out unless you’re able to reset the password from elsewhere in your organization. If you don’t have outside access, this might have just cut off your only credentials for access to the server.
You might not need RDP credentials, though. Some server providers offer direct KVM access, which could allow you to bypass your remote login and change the password from there. You should try this first, as it will result in no downtime.
Resetting with Win PE
You will need to boot the server into a rescue operating system. Many providers should have this option—for example, OVH allows you to change the netboot mode to a Windows Preinstallation Environment, or Win PE. This allows you to use tools like NTPWEdit to modify SAM files directly.
To use it, you’ll need to open the SAM file, unlock the user that you want to modify, and click “Change Password.” Enter it twice and click “Save Changes.”
Resetting with Linux and chntpw
Alternatively, you could be given a Linux-based rescue system like rescue64-pro. In this case, you’ll need to mount the Windows drive and change it manually with chntpw.
List the disks and mount the main partition:
Navigate to the location of the SAM file and run chntpw
Then, follow the prompts to clear the password for your account.
You’ll need to log back in with the blank password and change it to something secure.