Local Administrator Password Change

Hi Team,

I am facing an issue while changing the 150 VMs Local Administrator Password.
When i am trying to change the password first time being able to do that.
But when i am trying to change the password the second time means running the same script i getting the error Access Denied.
This means After changed the password by PowerShell it showing successfully but after that, i am unable to connect to any server to resolved that issue I have to reset the password manually of the administrator

What is exactly issue not able to find. Please Look into this

@Rohit Welcome to PowerShell.org forums.

How did you change the password remotely, can you share the code removing sensitive data. It will help folks in understanding the problem better.

If you are using credentials to connect to the VM and password for that same credential is modified then you will have to use the new changed password to connect again.

@kvprasoon

I tried 4 Methods:- on First time able to change the password but after that not able to connect to any server
to resolve that issue i have to reset the password manually,

All methods is behaving the same
###########################################################################

Method 1:-


$computers = Get-Content -path "C:\Users\Administrator\Documents\ip.txt"

$password = Read-Host -prompt "Enter new password for user" -assecurestring
$decodedpassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
foreach ($Computer in $Computers) {
    $Computer = $Computer.toupper()
    $Isonline = "OFFLINE"
    $Status = "SUCCESS"
    $StatsError ="Failed"
    if((Test-Connection -ComputerName $Computer -count 1 -ErrorAction 0)) {
    $Isonline = "ONLINE"
    } 
    else 
    { 
    $StatsError= "`t$Computer is OFFLINE" 
    }
    try {
        $account = [ADSI]("WinNT://$Computer/Administrator")
        $account.psbase.invoke("setpassword",$decodedpassword)
        $StatsError="Administrator Password changed successfully"
    }
    catch {
        $status = "FAILED"
        $StatsError="$_"
}

$obj = New-Object -TypeName PSObject -Property @{
    ComputerName = $Computer
    IsOnline = $Isonline
    PasswordChangeStatus = $Status
    Status=$StatsError
}

$obj | Select ComputerName, IsOnline, PasswordChangeStatus,Status
}

#################################################################################

Method 2:-


$computer = Get-Content -path "C:\Users\Administrator\Documents\ip.txt"
$Command = {
    $Password = (Read-Host -Prompt "New Password" -AsSecureString)
    $UserAccount = Get-LocalUser -Name Administrator
    $UserAccount | Set-LocalUser -Password $Password
}
foreach($computerName in $computer)  
{  
    $session = New-PSSession -computername $computerName
    Invoke-Command -session $session -scriptblock $command
    Remove-PSSession $session
}

#################################################################################
Method 3:-


$computer = Get-Content -path "C:\Users\Administrator\Documents\ip.txt"
foreach($computerName in $computer)  
{  
Invoke-Command -ComputerName $computerName -ScriptBlock { net user Administrator 'Password'}

}

#################################################################################Method 4:-


$computer = Get-Content -path "C:\Users\Administrator\Documents\ip.txt"
foreach($computerName in $computer)  
    {  
    Invoke-Command -ComputerName $computerName -ScriptBlock { 
        $Password = (Read-Host -Prompt "New Password" -AsSecureString)
        $UserAccount = Get-LocalUser -Name Administrator
        $UserAccount | Set-LocalUser -Password $Password

    }

}

Lets stick to a Methods, say 2 here.

you can make it like below taking out the prompt outside the scriptblock.

$computer = Get-Content -path "C:\Users\Administrator\Documents\ip.txt"
$Command = {
    Param([System.Security.SecureString]$Password)
    $UserAccount = Get-LocalUser -Name Administrator
    $UserAccount | Set-LocalUser -Password $Password
}
foreach($computerName in $computer)  
{  
    $Password = (Read-Host -Prompt "New Password" -AsSecureString)
    Invoke-Command -ComputerName $computerName  -scriptblock $command -ArgumentList $Password
}

Since the remote call is only done once, you wont get benefit of using Session.

Have you tried executing the code inside the scriptblock logging in locally, multiple times ?

@kvprasoon
Yes, the Same script is working on locally multiple times not an issue with that.

But when i am trying to execute from Remote it’s not working.

Thanks for your suggestion i will check your method

Is your systems connected to a domain ?

What is the logged in user in the system where you executed the script. Is that user and the user whose password being change are same ? are them both has the name Administrator ?

@kvprasoon
I am trying on Workgroup Servers, all are in the workgroup when i am getting this issue so i am trying on 2 servers only currently, There are Domain servers but till now I didn’t try on that

I logged in with the Administrator from where I am executing the script

Running with Administrator User and change the Administrator Password of other Workgroup Server

So mostly thats the reason. Always sue -Credential with Invoke-Command when in workgroup, especially changing password of a user with the same name as current logged in user.

When you don’t use a Credential, Invoke-Command uses current logged in user. In this case the user name is same , Administrator and password was also same once, but changed for other VMs.

@kvprasoon

I am Explaining to you once again:-

  1. I got the server from a client that is the first time and i executed the script first time on the server remotely and was able to change the password without -Credential take the example below script i Run

Invoke-Command -ComputerName $computerName -ScriptBlock { net user Administrator ‘Password’}
or
Method 2 or Method 3 i used

  1. Now Password is changed able to take RDP with New Password

  2. Now I run a same script or i run the simple script like the below script then I am getting error

Invoke-Command -ComputerName $computerName -ScriptBlock { hostname }

Not to connect the server

After password change able to take RDP , i am unable to connect Server with powershell

Connect-WsMan ServerName — also saying access denied

Lemme try to make it clear.

To connect to a remote system, PowerShell needs to be authenticated. When you do Invoke-Command by default run as the logged in user or the user which is used to launch the PowerShell process.

Here what I think happened is, first time it connected to all the servers as the server you are trying to connect and the server where the script is executing has the same user and password. Next time when you execute, the user is same but password is changed at the other end.

If above is the case, then its always better to use -Credential.

You could try it once :slight_smile:

  1. I run the Connect-WSMan cmdlet and working
  2. I run the Invoke-command with simple hostname and get-date and working
  3. I change the password
  4. Now its not working
  5. not connecting to server

To resolve this issue i have to reset the password manually after that it work.
I am not able to understand after changing the password by powershell it should connect with powershell also but not connecting

yes you are right after using -credential its working

Please suggest if i keep the same password of source host from where i am executing it will work ?

if not using -Credential parameter, then both should be same. Its suggested to use -Credential.