The PowerShell script discussed in this post allows you to reset an expired domain admin password on a domain controller running in Azure. You'll need this script when you encounter an error message when trying to reset a password. Failed to reset password: VM reported a failure when processing extension 'enablevmaccess'. Error message: "VMAccess Extension does not support Domain Controller."

Mohamed A. Waly

In July 2014 Mohamed was recognized as the youngest MVP in the world. He authored two books about Microsoft Azure: Learning Microsoft Azure Storage and Hands-On Networking with Azure. Mohamed is currently working for BlueCloud Technologies as an infrastructure consultant.

Latest posts by Mohamed A. Waly (see all)

Contents of this article

When you have Active Directory domain controllers in Azure, you'll face an awkward scenario when the domain admin password expires. When you try to RDP to the domain controller VM, it'll display a message telling you the password is expired and you need to specify a new one.

Unfortunately, you'll go through an endless loop telling you to change the password before signing in. You can't do so because it doesn't prompt you to the screen where you can reset the password, and it keeps indicating that you need to change the password as the following figure shows:

The user's password must be changed before signing in

The user's password must be changed before signing in

You might think of using the "Reset Password" extension, but it won't work with domain controllers. You'll get the following error message:

Failed to reset password: VM reported a failure when processing extension 'enablevmaccess'. Error message: "VMAccess Extension does not support Domain Controller."

Failed to reset password

Failed to reset password

I've created a PowerShell script that will solve this issue. First, you need to save the following script in a file named Script.ps1.

We'll use this script to change the password of the domain admin account. Therefore, you need to replace "username" with the domain admin account and "password" with the new password you need to set.

After saving this, you can run the following script:

The following steps describe the script:

  1. At the beginning, it will prompt you to enter the user name and password of the tenant admin.
  2. You then need to specify the path of ps1 created earlier, the name of the domain controller VM, and the name of the resource group in which it exists.
  3. After that, the $Loc variable will retrieve the location of the VM.
  4. A message box will pop up, asking you to specify whether or not you have a storage account to upload the script created earlier to it.
  5. If not, it will ask you to enter a name for a new storage account, and the script will check it is availability. If it is not available, the script will prompt you to enter a new storage account name.
  6. If yes, you need to specify the name of an existing storage account.
  7. Using the storage account name variable and the resource group variable, it will retrieve the key of the storage account.
  8. It will then use that key to create a storage context.
  9. Using that context, it will create a new container to store the uploaded script in.
  10. After creating the container, the script will upload Script.ps1 to the container.
  11. Finally, it will install a custom script extension with the script created earlier on the Azure VM, changing the domain admin account password to the password you specified in the script.
  12. When you try to RDP to the VM with the new password, you'll note that everything is working fine.

You can download the script from Github or  Technet Gallery.

Conclusion ^

It's definitely no fun when your domain admin account password expires and you can no longer access your domain controller. Using the scripts mentioned in this article should solve your issue.

Are you an IT pro? Apply for membership!

2+
Share
2 Comments
  1. Dan 8 months ago

    Thank you!!!!

     

    0

  2. Juan 3 months ago

    Gracias.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account