How to Update Expired Password for the Only Admin Account in ADUC

[glen]

So this happened to me recently in my sandbox environment in AWS. In this sandbox, I had a single DC and a member server. To keep it a bit more secured, I had disabled all domain admin accounts even the built-in one but except for my own. To make matters worse, I also forgot to put a check mark for my account to disable password expiration. So a few months go by and when I tried to sign in, I got the dreaded Windows prompt that said my account password had expired and will need to be updated to continue.

I'm like damn, there is no other admin account I can use to update my password. Am I SOL and have to rebuild the sandbox from scratch? I've also setup other services like CA that rely on this DC. Well as you can see from the title, it took some ingenuity to save a lot of work for me.

I googled around to see if there was a way to update the password via an RDP session. However, if that was possible, we got a serious security breach for MS Windows. I've read a few articles that said the only way you can get Windows to prompt for a password change upon signing in, was to get console access to the server. Well with AWS, there is no console access for Windows like VMware or Hyper-V but the next best thing to that was my member server which I still have local Administrator access. I also remembered that I can sign in with my cached AD credential if only there was way to prevent this member server from talking to the DC. And here was how I did it:

1) RDP to member server as local admin
2) Disable NLA for RDP (For console access via RDP)
3) Remove DNS entry for DC in network configuration (Allow AD cached credential sign-in)
4) Start a new RDP to member server as cached AD user
5) Windows prompt for password update
6) Re-add DNS entry for DC in network configuration and sign out
7) RDP to member server with updated AD user password
8) Enable password never expire for solo admin account

Enjoy!