Today, after testing some Oracle Cloud Infrastructure firewall changes and login tests into a running Windows 2019 Server, the account of the administration user opc was locked. The referenced account is currently locked out and may not be logged on. And now? There was no other user available with administrator privileges to unlock this account. We have basically two methods to solve the issue.
a) The Coffee Cup Style – just wait
You know the password? The Oracle Cloud Infrastructure provided Windows Server 2019 images use a 5 minutes lock out policy until you can try again – so grab a cup of coffee and wait. FYI, these 5 mins are no according STIG rules. 15mins lockout duration is recommended. You can change it in the group policy. See here: Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. (stigviewer.com)
b) The Tech Style – use the chntpw Tool
You forgot the password and not want to wait? There is a blog entry on blogs.oracle.com from @mz_oracle which describes exactly the steps to mount the boot volume as block device in an Ubuntu instance and uses the chntpw – chntpw.com – tool to change it: Tutorial: How to Reset a Forgotten Password for a Windows Instance (oracle.com). This tool edits the SAM database where Windows stores password hashes.
With this method you are able to reset any Windows administrator accounts, take care! FYI – there is a MOS note for Linux available too: How to Reset the Password on OCI Oracle Linux Instances? (Doc ID 2408898.1).
How it goes:
I personally don’t recommend to use the opc account to work on the instance in the cloud as it is not recommended to work with the Windows Administrator account locally and on-prem for application related tasks. For the emergency case and to avoid the tech style method, create a second user and add it into the Administrator account to have another login option. And for all other users, follow the Principle of Least Privilege.