If forgot the admin account of an Azure VM, you can use the Set-AzureRmVMCustomScriptExtension cmdlet to add a new administrator account. In this post I will discuss a PowerShell script that allows you to add a new user to your Azure VM and add it to the administrator group without having an admin account.

First off, you need to save the following script in a file named Script.ps1.

net user UserName Password /add
net localgroup Administrators UserName /add
net localgroup "Remote Desktop Users" UserName /add

This script creates a new user for the VM you want to access, gives the account administrative privileges, and finally, enables Remote Desktop for this VM. You have to replace "UserName" with the account name you desire and "Password" with the new password you want to set.

The PowerShell script below will then execute the above script on the VM.

Login-AzureRmAccount
$Path = Read-Host "Please Enter the path of Script.ps1 extracted from the compressed file"
$VMName = Read-Host "Please Enter the VM Name"
$RG = Read-Host "Please Enter the Resource Group Name"
$Loc = (Get-AzureRmVM -ResourceGroupName $RG -Name $VMName).Location
$a = new-object -comobject wscript.shell
$SAAnswer = $a.popup("Do you already have a storage account to upload the script to?",0,"Storage Account Existence",4)
If ($SAAnswer -ne 6) 
        {
            Do {
$SAName = Read-Host "Please enter a name that fulfills the following conditions:`
1- The name must be unique across all storage   account names in Azure`
                                     2- It must be 3 to 24 characters long`
3- It can only contain lowercase characters and numbers`
                                     "
$SAAvail = (Get-AzureRmStorageAccountNameAvailability -Name  $SAName).NameAvailable
                }
            Until ($SAAvail -eq "True")
$SA = New-AzureRmStorageAccount -ResourceGroupName $RG -Name $SAName -SkuName Standard_LRS -Location $Loc
        }
ElseIf ($SAAnswer -eq 6)
        {
                $SAName = Read-Host "Please enter the storage account name"        
        }
$SAKey = (Get-AzureRmStorageAccountKey -ResourceGroupName $RG -Name $SAName) | ? {$_.KeyName -eq "key1"}
$StorageContext = New-AzureStorageContext -StorageAccountName $SAName -StorageAccountKey $SAKey.Value
$Container = New-AzureStorageContainer -Name scriptcontainer -Permission Container -Context $StorageContext
Set-AzureStorageBlobContent -Container $Container.Name -File $Path -Context $StorageContext
Set-AzureRmVMCustomScriptExtension -ResourceGroupName $RG -ContainerName $Container.Name -FileName "Script.ps1” -StorageAccountName $SAName -StorageAccountKey $SAKey.Value -VMName $VMName -Location $Loc -Run "Script.ps1" -Name "ResetDomainAdminPassword"

I will now explain the script in detail.

Log in to your Azure subscription ^

We use the Login-AzureRmAccount cmdlet to log in to your Azure subscription by running the following command:

Login-AzureRmAccount -subscription <subscription id>

Defining the variables ^

To upload the script to trigger against the VM, specify the following variables when you run the script:

  • The path of the script created earlier (Script1.ps1)
  • The name of the VM you want to trigger the script against
  • The resource group in which the VM exists
  • The location of the VM
$Path = Read-Host "Please Enter the path of Script.ps1 extracted from the compressed file"
$VMName = Read-Host "Please Enter the VM Name"
$RG = Read-Host "Please Enter the Resource Group Name"
$Loc = (Get-AzureRmVM -ResourceGroupName $RG -Name $VMName).Location

Specifying the storage account ^

To store the script in Azure, you need to specify a storage account. When you run the following code snippet, a message will pop up asking you to specify whether you have a storage account or not, as shown in the following figure.

Asking the user whether a storage account is available

Asking the user whether a storage account is available

If you select No, it will ask you to enter a name for the storage account according to the displayed conditions, and then the script will check whether the storage account is available or not. If not, it will prompt you again to enter another name for the script that meets the conditions. If it meets the conditions, it will create the account.

Specify a name for the storage account that meets the conditions

Specify a name for the storage account that meets the conditions

If you already have an account, it will prompt you to enter a name for the storage account directly.

$a = new-object -comobject wscript.shell
$SAAnswer = $a.popup("Do you already have a storage account to upload the script to?",0,"Storage Account Existence",4)
If ($SAAnswer -ne 6)
        {
            Do {
$SAName = Read-Host " Please enter a name that fulfills the following conditions:`
1- The name must be unique across all storage account names in Azure`
                                     2- It must be 3 to 24 characters long`
3- It can only contain lowercase characters and numbers`
                                     "
$SAAvail = (Get-AzureRmStorageAccountNameAvailability -Name $SAName).NameAvailable
                }
            Until ($SAAvail -eq "True")
$SA = New-AzureRmStorageAccount -ResourceGroupName $RG -Name $SAName -SkuName Standard_LRS -Location $Loc
        }
ElseIf ($SAAnswer -eq 6)
        {
                $SAName = Read-Host "Please enter the storage account name"
        }

After that, you are now ready to upload the script to Azure Storage. You will need to retrieve the storage account key and the storage context. Then you need to create a container in the storage account to upload the script to. After that, you can upload the script by running the following commands:

$SAKey = (Get-AzureRmStorageAccountKey -ResourceGroupName $RG -Name $SAName) | ? {$_.KeyName -eq "key1"}
$StorageContext = New-AzureStorageContext -StorageAccountName $SAName  StorageAccountKey $SAKey.Value
$Container = New-AzureStorageContainer -Name scriptcontainer -Permission Container  Context $StorageContext
Set-AzureStorageBlobContent -Container $Container.Name -File $Path  Context $StorageContext

Run the script ^

To run the script on the VM, you will be using the Set-AzureRmVMCustomScriptExtension cmdlet that requires no local or domain credentials to log in to the VM. It will download the script from the Azure Storage account to the VM and execute it.

Set-AzureRmVMCustomScriptExtension -ResourceGroupName $RG -ContainerName $Container.Name -FileName "Script.ps1” -StorageAccountName $SAName -StorageAccountKey $SAKey.Value -VMName $VMName -Location $Loc -Run "Script.ps1" -Name "Add another admin"

You can download the script from one of the following links Github or Technet Gallery.

Subscribe to 4sysops newsletter!

Conclusion ^

It is definitely no fun when you forget your admin account password and can no longer access your Azure VMs. The scripts discussed in this article should solve your issue. If you have forgotten your on-premises domain admin account password instead, you might want to read this article.

avatar
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account