Reset windows administrator password

Need a recipe to reset windows administrator password. It will be great helpful, if someone help on this.

You should be able to do this with the build in user resource like this:

user 'Set Local Administrator Password' do
  username 'administrator'
  action :manage
  password 'your_password_here'

Setting your admin password in plain text makes Security Panda sad.

I would highly recommend using Microsoft’s LAPS product ( It randomizes the admin password for each machine and stores them in AD (if that’s an option).

1 Like

Seth, HeyltsGiblert, thank you for the suggestions.

HeyltsGiblert, How to call this in chef recipe ?



Thanks for the script, How can secure the password?


As HeyItsGilbert mentioned, storing a password in plain text is not a good idea.

In theory, you could have your password encrypted and use Chef Vault or an encrypted data bag to provide the password value.

Ultimately, you can’t completely secure it. The problem is that at some point, Chef needs the password in plain text. However you encrypt it, the decryption key has to be available to the chef client, and therefore also potentially to an attacker.

What I do in situations like this is set the administrator password to something well-known, and then manually change it right after the password has been reset. There is a vulnerability here, of course, during the time gap between Chef resetting the admin password, and manually securing it.

If you have too many systems to do this, use Active Directory - it is designed for exactly this type of problem. In that case, you could simply have Chef generate a random password for the local admin account on the fly. When you need to log on to the local admin account, use a domain account to log in first and change

Kevin Keane
Whom the IT Pros Call
The NetTech
Our values: Privacy, Liberty, Justice


Could you PLEASE share some example for the same, if you don’t mind.



Thank you. I want to get this done through Chef server only.


Prior to using Hashicorp Vault to distribute secrets, we deployed encrypted databags. To be honest it’s a lot of work and it too has its flaws. We’ve been the most happy with LAPS + AD, but that may change for non AD-bound machines.


  1. Create a secret key (per databag)
  1. Create encrypted data bag via knife
  1. Update your recipe to read the encrypted databag

IMHO if you’re going to go through the effort of deploying data bags, you should just look into setting up a proper secrets management tool. The effort or rolling databag secrets and ensuring they’re in place can be a pain.