Imagine the scenario: you have a virtual machine running in Azure but something’s gone wrong and you don’t have Administrative credentials to log in to Windows. That’s a more common occurrence than you might expect but there is a workaround: in Azure there an option to reset the local administrator password.
Unfortunately, that capability hasn’t been implemented yet in the management portal for Azure Resource Manager but it is available in Microsoft Azure PowerShell.
I found the following commands worked for me (based on a blog post by Dan Patrick), resetting the built-in administrator account for the defined server in the defined Resource Group to be called DisabledAdmin (after which it won’t be disabled any more but after unlocking the server and creating an alternative administrator, the built in account can be disabled again) with a GUID for the password:
$rgName = "Example-Resource-Group"
$vmName = "SERVERxxx"
$extName = "VMAccessAgent"
$userName = "DisabledAdmin"
$password = [guid]::newguid()
$location = "westeurope"
Set-AzureRmVMAccessExtension -ResourceGroupName $rgName -VMName $vmName -Name $extName -UserName $userName -Password $password -Location $location
(of course, you’ll need to take a note of that GUID if you want to log in to the account!).
The VM Access Extension can be called anything you like (the MSDN reference for Set-AzureRmVMAccessExtension
gives more information); however, as noted in the Microsoft Azure documentation (How to reset the Remote Desktop service or its login password in a Windows VM):
“You can reset remote access to your VM by using either
Set-AzureRmVMExtension
orSet-AzureRmVMAccessExtension
“Both commands add a new named VM access agent to the virtual machine. At any point, a VM can have only a single VM access agent. To set the VM access agent properties successfully, remove the access agent set previously by using either
Remove-AzureRmVMAccessExtension
orRemove-AzureRmVMExtension
. Starting from Azure PowerShell version 1.2.2, you can avoid this step when usingSet-AzureRmVMExtension
with a-ForceRerun
option. When using-ForceRerun
, make sure to use the same name for the VM access agent as set by the previous command.”
So, by using a known name for the VM Access Extension (VMAccessAgent), I can avoid potential issues later.