none
Windows 8 user.setpassword Access is denied RRS feed

  • Question

  • Hi,

    Does anyone has an idea why the following scipt

    Set objUser = GetObject("WinNT://CompName/UserName,User")
    objUser.SetPassword "test123"

    (under admin account, with disabled UAC) returns "Access is denied" (80070005) error (on line 2, naturally) on Windows 8(.1) and Server 2012, while it works on Windows 7, Server 2008 R2 and XP?

    Thanks in advance!

    Saturday, September 20, 2014 10:05 PM

Answers

  • Solved, my mistake. I didn't use "run as administrator" option - although I can't understand how did it happen. Sorry everyone.
    • Marked as answer by mixi3 Sunday, September 21, 2014 10:20 AM
    Sunday, September 21, 2014 10:20 AM

All replies

  • Yup.  That is the way it works.

    What is it you are trying to  do?  It appears that you are trying to change the local admin password.  Is that correct?


    ¯\_(ツ)_/¯

    Saturday, September 20, 2014 10:09 PM
  • Yes, I'm trying to set new password for a local (not domain) user (not necessarily with admin rights). I'm working in an extremely mixed environment and I need to create a script that my network administrator will use on any machine.
    Saturday, September 20, 2014 10:17 PM
  • Try this:

    # Input:
    $ComputerName = "localhost"
    $UserName = "Test1" # Assumes user exists
    $Password = "MyNewPass1"
    
    # Change Password:
    $objUser = [ADSI]"WinNT://$ComputerName/$UserName,user"
    $objUser.SetPassword($Password)
    $objUser.SetInfo() 
    
    # Verify:
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine',$ComputerName)
    $DS.ValidateCredentials($UserName,$Password)


    Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) _________________________________________________________________________________ Powershell: Learn it before it's an emergency http://technet.microsoft.com/en-us/scriptcenter/powershell.aspx http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx

    Saturday, September 20, 2014 10:56 PM
  • From any remote machine you can set the password if your account is in the Administrators group on the remote machine.

    If you are running this ont the remote machine you must be executing it from an elevated prompt.

    You cannot bypass security on Widows Vista and later.


    ¯\_(ツ)_/¯

    Saturday, September 20, 2014 10:57 PM
  • Try this:

    # Input:
    $ComputerName = "localhost"
    $UserName = "Test1" # Assumes user exists
    $Password = "MyNewPass1"
    
    # Change Password:
    $objUser = [ADSI]"WinNT://$ComputerName/$UserName,user"
    $objUser.SetPassword($Password)
    $objUser.SetInfo() 
    
    # Verify:
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine',$ComputerName)
    $DS.ValidateCredentials($UserName,$Password)


    Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) _________________________________________________________________________________ Powershell: Learn it before it's an emergency http://technet.microsoft.com/en-us/scriptcenter/powershell.aspx http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx

    Sam "SetPassword" is immediate.  Setinfo only effects properties being assigned. SetPassword is a method call on the ADSI user object.  Methnod calls do NOT require SetInfo.


    ¯\_(ツ)_/¯

    Saturday, September 20, 2014 11:02 PM
  • Yep, you're right. Testing shows SetInfo() is not needed. Last time I used this, I had to use SetInfo().. may be I'm just getting old :D

    Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) _________________________________________________________________________________ Powershell: Learn it before it's an emergency http://technet.microsoft.com/en-us/scriptcenter/powershell.aspx http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx

    Saturday, September 20, 2014 11:20 PM
  • So... You are saying that script can change remote user's password, but not local user password (if started with admin rights on both machines)?

    Sorry, PowerShell is not an option.

    Saturday, September 20, 2014 11:24 PM
  • Yep, you're right. Testing shows SetInfo() is not needed. Last time I used this, I had to use SetInfo().. may be I'm just getting old :D

    Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) _________________________________________________________________________________ Powershell: Learn it before it's an emergency http://technet.microsoft.com/en-us/scriptcenter/powershell.aspx http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx

    There have been many incorrect examples over the years.  Methods in MWI never require SetInfo.


    ¯\_(ツ)_/¯

    Saturday, September 20, 2014 11:58 PM
  • So... You are saying that script can change remote user's password, but not local user password (if started with admin rights on both machines)?

    Sorry, PowerShell is not an option.

    When you say "started with admin privileges" what does that mean?  YOuo can logon as a member of the administrators group.  Even then you need to choose to elevate to obtain full privileges.

    On my Windows 8.1 machine here I right click and choose "Run as Administrator" on the CMD or PowerShell shell program or shortcut.

    In PowerShell you can  just do this:

    $user=[adsi]'WinNT://./TestUser'
    $user.SetPassword('newpassword')

    That is all.  From a remote system just add the computername and it works even if you are not elevated.  Just call the method.

    Locally you must always be elevated to make certain changes to the local system.


    ¯\_(ツ)_/¯

    • Proposed as answer by jrv Sunday, September 21, 2014 12:07 PM
    Sunday, September 21, 2014 12:10 AM
  • When I say "admin rights" I always mean "member of local Administrators group and started with elevated privileges (run as Administrator) and UAC is disabled". 

    Back to my situation: 

    1. I start WMI user.SetPassword command with admin rights on Windows 7 for user on local computer, it works.

    2. I start WMI user.SetPassword command with admin rights on Windows 7 for user on remote (Windows 8, Server 2012) computer, it works.

    3. I start WMI user.SetPassword command with admin rights on Windows 8 (Server 2012) for user on remote (Windows 7) computer, it works.

    4. I start WMI user.SetPassword command with admin rights on Windows 8 (Server 2012) for user on local computer, "Access is denied".

    You say option 4 is such "by design". Is there something I can do to make option 4 work?

    Sunday, September 21, 2014 5:47 AM
  • Where are you using EMI. All of the code is for ADSI. I see no WMI code here.

    Windows 8 is NOT WS2012.  THey share the same GUI  style and base core but they are not the same.


    ¯\_(ツ)_/¯


    • Edited by jrv Sunday, September 21, 2014 8:32 AM
    Sunday, September 21, 2014 8:31 AM
    • Proposed as answer by jrv Sunday, September 21, 2014 12:07 PM
    • Unproposed as answer by jrv Sunday, September 21, 2014 12:07 PM
    Sunday, September 21, 2014 8:47 AM
  • Solved, my mistake. I didn't use "run as administrator" option - although I can't understand how did it happen. Sorry everyone.
    • Marked as answer by mixi3 Sunday, September 21, 2014 10:20 AM
    Sunday, September 21, 2014 10:20 AM
  • Solved, my mistake. I didn't use "run as administrator" option - although I can't understand how did it happen. Sorry everyone.

    That is what I posted that you needed to do.

    ¯\_(ツ)_/¯

    Sunday, September 21, 2014 12:08 PM