Guest OS Customization Forcing Password Changes for Non-Admin Users in Cloud Director
search cancel

Guest OS Customization Forcing Password Changes for Non-Admin Users in Cloud Director

book

Article ID: 431068

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • Local user passwords incorrectly flagged for change during Guest OS customization on Windows VMs in Cloud Director 10.6.x
  • When applying Guest OS customization to Windows VMs within Cloud Director, local non-administrator accounts (including service-level accounts) are being prompted to change their passwords upon the first login.

  • This behavior is unexpected, as the "Require Administrator to change password on first login" requirement should ideally only apply to the Administrator account. This can disrupt automated services and service provider accounts that rely on static credentials.

     

Environment

Cloud Director 10.6.x

Cause

This is a identified issue in Cloud Director 10.6. During the customization process, user properties for non-administrator accounts are being reset, causing the PasswordExpires flag to be triggered incorrectly.

Resolution

Broadcom is currently working on a formal fix for this issue. In the interim, you can prevent forced password changes by using a customization script to manually disable password expiration for specific users.

Add the following commands to the Script section of your Guest OS customization settings:

Option 1: The PowerShell One-Liner (Recommended)

powershell.exe -Command "& { ('User1', 'User2', 'ServiceAccount') | ForEach-Object { Get-LocalUser -Name $_ | Set-LocalUser -PasswordNeverExpires $true } }"

 

Option 2: The WMIC Method (Line-by-Line)
With standard Windows batch commands or are on an older OS version where PowerShell cmdlets not available, you must add a separate line for each user.

wmic useraccount where Name='User1' set PasswordExpires=FALSE
wmic useraccount where Name='User2' set PasswordExpires=FALSE
wmic useraccount where Name='ServiceAccount' set PasswordExpires=FALSE

(Replace 'User1' and 'User2' with the specific service or local accounts you wish to protect.)

Running these commands ensures the PasswordExpires property is set to false, allowing these users to log in without a reset prompt after customization is complete.

Reference: Change the Guest OS Customization of a Virtual Machine

Powered by Wolken Software