Resetting a local Windows Account on a Workgroup computer

[support]

This forum post will describe how to set up a Password Record to automatically reset a Local Windows Admin account on a remote server that is in a Workgroup, and not joined to your domain.

 

Step 1: Ensure you have prerequisites set up for your web server and hosts, as per this forum post (Once off process)

Step 2: Add new Password Record configured as follows

 

Screen 1: Ensure you configure the below 5 options correctly and enter in the password for the account.  If you configure an Expiry Date it will automatically change the password in Passwordstate and on the Host when that date is reached.  Please note if you do not have functioning DNS to your Workgroup server, you may need to add it into the system as an IP Address instead.  Please see this forum post on how to configure this:  https://www.clickstudios.com.au/community/index.php?/topic/2127-adding-in-a-host-that-does-not-have-functioning-dns/

 

 

Screen 2: Ensure the "Reset Windows Password" script is selected under the Reset Options tab, and in this case you do not need to select a privileged Account.  Instead when a password reset process is executed, it will connect to the machine using it's own credentials, and it will then perform the reset for itself.  There are a couple of prerequisites to allow this to happen, which is mentioned at the bottom of this post:

 

Screen 3: Ensure the "Validate Password for Windows Account" script is selected under the Heartbeat Options tab:

 

 

Prerequisites for WorkGroup machines to allow for password resets and heartbeats:

 

1. On your Passwordstate webserver, execute the following Powershell command to trust all hosts:  Set-Item WSMAN:\localhost\Client\TrustedHosts -value *  (It's possible to specify your workgroup server instead of the wildcard * if you prefer) 
2. Ensure you have enabled Powershell Remoting on the Workgroup machine.  To do this open Powershell "As Administrator" and execute enable psremoting -force
3. On the same Workgourp machine, you must enable remote connections to the server for your Administrator account.  To do this, open Powershell "As Administrator" and execute the command below, which adds a registry key to your system.  This is a Microsoft requirement and you can read more about it in this link:  https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_remote_troubleshooting?view=powershell-5.1

 

New-ItemProperty -Name LocalAccountTokenFilterPolicy -Path `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System` -PropertyType DWord -Value 1