Manage accounts and credentials on Windows VMs

By default, Windows virtual machine (VM) instances authenticate by using a username and a password instead of by using SSH. If you don't enable SSH for Windows, you must generate new credentials before connecting to the VM. This document describes how to generate credentials and manage accounts on Windows VMs.

You can also use this process to generate new credentials if you no longer have the original credentials. If you use this process to generate new credentials for existing users, any data that is encrypted with the current credentials, such as encrypted files or stored passwords, might not be retained.

Accounts disabled by default

The following accounts are built-in to Windows Server and are disabled by default:

  • Administrator
  • Guest
  • DefaultAccount
  • WDAGUtilityAccount

For these accounts, the Windows guest agent can reset the credentials. Resetting the credentials won't do the following:

  • Enable a disabled built-in account
  • Set additional policies so that the user can sign in to the VM

The built-in accounts are not guaranteed to have the default names because the local security policy, which is used by many organizations, can rename the accounts. If the accounts were renamed, you can use the original names.

Before you begin

  • Create a Windows Server VM.
  • Ensure that the instance is online and ready.
  • If you haven't already, then set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:

    Select the tab for how you plan to use the samples on this page:

    Console

    When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

    gcloud

    1. Install the Google Cloud CLI, then initialize it by running the following command: 

      gcloud init
    2. Set a default region and zone.

Required roles

To get the permissions that you need to generate credentials for Windows Server VMs, ask your administrator to grant you the following IAM roles:

  • Compute Instance Admin (v1) (role/compute.instanceAdmin.v1) on the VM or project
  • If your VM uses a service account: Service Account User (role/iam.serviceAccountUser) on the service account or project

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Generate credentials

Generate credentials for Windows Server VMs by using the Google Cloud console or the Google Cloud CLI.

Console

  1. Go to the VM instances page.

    Go to VM instances

  2. Click the Windows Server VM to change the password on.

  3. On the VM instance details page, in Remote access, click Set Windows password.

  4. In the Username field, enter the username to change the password for, or enter a new username to create a new user.

  5. Click Set.

gcloud

  1. Run the following gcloud compute reset-windows-password command:

    gcloud compute reset-windows-password VM_NAME

    Replace VM_NAME with the name of the VM to change the password for.

  2. Review the information in the confirmation prompt:

    This command creates an account and sets an initial password for the
user [username] if the account does not already exist.
If the account already exists, resetting the password can cause the
LOSS OF ENCRYPTED DATA secured with the current password, including
files and stored passwords.

For more information, see:
https://cloud.google.com/compute/docs/operating-systems/windows#reset

Would you like to set or reset the password for [username] (Y/n)?

  3. After confirming the previous prompt, review the confirmation of new credentials, which appears as follows:

    Resetting and retrieving password for [username] on [instance-name]
Updated [https://www.googleapis.com/compute/v1/projects/project-name/zones/zone/instances/instance-name].
ip_address: ip-address
password:   password
username:   username

  4. You can now connect to the instance by using the new credentials.

Change your password

After you connect to your Windows Server VM, you can use the Windows Command Prompt or the Windows user interface to change your password.

Command Prompt

Use the net user command to change the password.

Windows Server 2012 R2

  1. After the desktop finishes loading, click the Start menu icon.

  2. Click Control Panel.

  3. Under the User Accounts icon, click either Change Account Type or Add or remove user accounts.

  4. Select the account that you want to modify.

  5. Click Change the password.

  6. Enter your current password and your new password.

  7. Click Change password to save your changes.

Windows Server 2016

  1. After the desktop finishes loading, click the Start menu icon.

  2. Click Control Panel.

  3. Under the User Accounts icon, click either Change Account Type or Add or remove user accounts.

  4. Select the account that you want to modify.

  5. Click Change the password.

  6. Enter your current password and your new password.

  7. Click Change password to save your changes.

Windows Server 2019

  1. After the desktop finishes loading, click the Start menu icon.

  2. Click Settings.

  3. Click Accounts.

  4. Click Sign-in options.

  5. Under Password, click Change.

  6. Enter your current password and click Next.

  7. Enter your new password in the New password field and enter it again in the Reenter password field.

  8. Enter a Password hint, and click Next.

  9. Click Finish.

Windows Server 2022

  1. After the desktop finishes loading, click the Start menu icon.

  2. Click Settings.

  3. Click Accounts.

  4. Click Sign-in options.

  5. Click Password and click Change.

  6. Enter your current password and click Next.

  7. Enter your new password in the New password field and enter it again in the Confirm password field.

  8. Enter a Password hint, and click Next.

  9. Click Finish.

Create a local user account

Command Prompt

Use the net user to create a new user.

Example: 

   net user USERNAME PASSWORD /add

Replace USERNAME with your username and PASSWORD with your password of choice.

Windows Server 2012 R2

  1. After the desktop finishes loading, click the Start menu icon.

  2. Click Control Panel.

  3. Under the User Accounts icon, click either Change Account Type or Add or remove user accounts.

  4. Click Add a user account.

  5. Set the user name, password and password hint, then click Next.

  6. After an account is created click Finish.

Windows Server 2016

  1. After the desktop finishes loading, click the Start menu icon.

  2. Click Control Panel.

  3. Under the User Accounts icon, click either Change Account Type or Add or remove user accounts.

  4. Click Add a user account.

  5. Set the user name, password and password hint, then click Next.

  6. After an account is created click Finish.

Windows Server 2019

  1. After the desktop finishes loading, click the Start menu icon.

  2. Click Settings.

  3. Click Accounts.

  4. Click Other users, then Add someone else on this PC.

  5. Skip all the Microsoft account related steps and click Add a user without a Microsoft account.

  6. Set the user name, password and password hint, then click Next.

Windows Server 2022

  1. After the desktop finishes loading, click the Start menu icon.

  2. Click Settings.

  3. Click Accounts.

  4. Click Other users, then Add someone else on this PC.

  5. Skip all the Microsoft account related steps and click Add a user without a Microsoft account.

  6. Set the user name, password and password hint, then click Next.

Grant local users Administrator privileges

Adding a local account to the Administrator group will give you administrative privileges on your Windows VM. Please see more information on Local Accounts.

Command Prompt

Use the net localgroup to add a user to the Administrator group.

Example: 

   net localgroup administrators USERNAME /add

Replace USERNAME with the username of choice.

Windows Server 2012 R2

  1. After the desktop finishes loading, click the Start menu icon.

  2. Click Control Panel.

  3. Under the User Accounts icon, click either Change Account Type or Add or remove user accounts.

  4. Select the account you wish to change.

  5. Click Change the account type.

  6. Select Administrator and confirm by clicking Change Account Type.

Windows Server 2016

  1. After the desktop finishes loading, click the Start menu icon.

  2. Click Control Panel.

  3. Under the User Accounts icon, click either Change Account Type or Add or remove user accounts.

  4. Select the account you wish to change.

  5. Click Change the account type.

  6. Select Administrator and confirm by clicking Change Account Type.

Windows Server 2019

  1. After the desktop finishes loading, click the Start menu icon.

  2. Click Settings.

  3. Click Accounts.

  4. Click Other users then click on the account you wish to change.

  5. Click Change account type.

  6. From the dropdown, select the Administrator account type and click OK.

Windows Server 2022

  1. After the desktop finishes loading, click the Start menu icon.

  2. Click Settings.

  3. Click Accounts.

  4. Click Other users then click on the account you wish to change.

  5. Click Change account type.

  6. From the dropdown, select the Administrator account type and click OK.

What's next