Reset Windows password to random EC2

Visits: 1999

https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/Creating_EBSbacked_WinAMI.html

For our Floating Cloud images the proccess is to

  • run the password reset scripts
  • copy the config.xml file to
    C:\Program Files\Amazon\Ec2ConfigService\Settings directory:
  • Create AMI without power off or reboot

[Windows Server 2016 and later] Configure settings using EC2Launch. To generate a random password at launch time, use the adminPasswordType setting. For more information, see Configuring EC2Launch.

[Windows Server 2012 R2 and earlier] Configure settings using EC2Config. To generate a random password at launch time, enable the Ec2SetPassword plugin; otherwise, the current administrator password is used. For more information, see EC2Config Settings Files.

https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2launch.html#ec2launch-config

To configure initialization settings

  1. On the instance to configure, open the following file in a text editor: C:\ProgramData\Amazon\EC2-Windows\Launch\Config\LaunchConfig.json.
  2. Update the following settings as needed and save your changes. Provide a password in adminPasswordonly if adminPasswordtype is Specify.{ "setComputerName": false, "setWallpaper": true, "addDnsSuffixList": true, "extendBootVolumeSize": true, "handleUserData": true, "adminPasswordType": "Random | Specify | DoNothing", "adminPassword": "password that adheres to your security policy (optional)" }The password types are defined as follows:RandomEC2Launch generates a password and encrypts it using the user’s key. The system disables this setting after the instance is launched so that this password persists if the instance is rebooted or stopped and started.SpecifyEC2Launch uses the password you specify in adminPassword. If the password does not meet the system requirements, EC2Launch generates a random password instead. The password is stored inLaunchConfig.json as clear text and is deleted after Sysprep sets the administrator password. EC2Launch encrypts the password using the user’s key.DoNothingEC2Launch uses the password you specify in the unattend.xml file. If you don’t specify a password in unattend.xml, the administrator account is disabled.
  3. In Windows PowerShell, run the following command to schedule the script to run as a Windows Scheduled Task. The script runs one time during the next boot and then disables these tasks from running again.PS C:\> C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule

Also see: https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2config-service.html

https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2config-service.html