Password reverted to initial Windows password after automated reboot from Windows Updates

[Alex Stoica]

Hi,

We are having an issue with some Windows servers that reverted the passwords set on the account used to create the instances, to the initial Windows passwords after an automatic reboot from Windows updates.

Some services running on the server are tied up to the passwords that we set so if the instance reboots automatically after Windows Updates it reverts to the initial one and the services dependent on the password that we set stops working.

Tried to replicate this using the new image for Windows 2009 server but it does not revert the password.

Is there anybody that has encountered this issue?

Checking the metadata for the affected servers will show the initial password but it doesn't on a test instance using the latest image.

Thank you.

[Alex Stoica]

I took a snapshot after the instance that had the initial Windows password changed and launched a new instance using this snapshot.

I have tried to log into it with the changed password and it did not worked. 

I have used the initial Windows password of the instance that I generated the snapshot and it worked.

Shouldn't the snapshot have the changed password and allow RDP into it with the changed password instead of allowing the initial Windows password of the original instance where it was already changed?

[Faizan (Google Cloud Support)]

Hello Alex,

Have you created your instance using the new Windows image (v20150511 or higher)? You can try to reset your password using this command: gcloud compute instances add-metadata [instance-name] --metadata gce-initial-windows-password=[password] --project [project-id] --zone [zone-name] which will make the change in the metadata.

Faizan

[Alex Stoica]

Hi Faizan,

Thank you for your reply. 

I have tried to reset the password using the method proposed by you on the instance created from the snapshot and it didn't worked because it was not sysprep-ed for which it gave me an error.

Using the command to see what authentication version I was using on one of the production servers that had the revert password issue I didn't get the version as they are presented on the GCE documentation but I think I got my answer from this output:

GCE Agent started.

Starting AddressManager

Booting on date 06/10/2015 03:21:35

project-name-587 already exists on prod-apps-1a. Setting password.

---------------------------------------------------------

Password from gce-initial-windows-password key applied.

---------------------------------------------------------

Running reg with arguments add HKLM\SOFTWARE\Google\ComputeEngine\State /v ManagedUserAccount /d moonlit-parsec-425 /t REG_SZ /f

-->  The operation completed successfully. 

From this I deduced that the GCE Agent had reset the existing password on the initial-user to the initial-password and I think this is by design on old authentication method as a safeguard for those that could forget the passwords. I am not sure that I am right about this as being a default action by design because I have found no info on it on the GCE Docs.

I decided instead to use a utility/service account for the services needing this without binding them to the initial user that could have the password reset at reboot.

Please confirm if my assumptions are correct and thank you!

[Faizan (Google Cloud Support)]

Hello Alex,

I was able to see the same behavior on the Windows instances created with the older image. With that being said, I would recommend going through the steps mentioned on this link to update existing Windows Instances.

Faizan