AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible Change Windows User Password: win_user Module (Examples)

By Luca Berton · Published 2024-01-01 · Category: troubleshooting

How to change local Windows user passwords with Ansible win_user module. Reset passwords, set expiry policies, and manage credentials across Windows servers.

Ansible Change Windows User Password: win_user Module (Examples)

How to change user passwords on Windows-like systems with Ansible?

Password change is a mundane task that every System Administrator needs to perform regularly for your user base. Using Ansible you could simplify your workflow and maintain consistent your IT infrastructure fleet. I'm going to show you a live Playbook with some simple Ansible code. I'm Luca Berton and welcome to today's episode of Ansible Pilot,

See also: Ansible Create Windows Local User: win_user Module (Complete Guide)

Ansible changes local user password

> ansible.windows.win_user Manages local Windows user accounts

Today we're talking about the Ansible module win_user. The full name is ansible.windows.win_user, which means that is part of the collection of modules specialized to interact with Windows target host. It's a module pretty stable and out for years. It works in Windows and Windows Server operating systems. It manages local Windows user accounts. For Linux target use the user module instead.

Parameters

name _string_ - user name • state _string_ - present/absent • password _string_ - clear text password • update_password _string_ - always / on_create

The only required is "name", which is the user name. The "state" parameter allows us to create or delete a user, in our use case the default it's already set to "present" to create a user. The "password" set the password in clear text. So easily specify what password assign to the user, no hash function is needed. The "update_password" parameter specifies when the module will update the user password. "always" option will update passwords if they differ, "on_create" will only set the password for newly created users.

See also: Ansible Remove Windows User: win_user Module state=absent (Examples)

Links

ansible.windows.win_userLastpass password generator

## Playbook Change user password on Windows-like systems with Ansible Playbook. I'm going to show you how to automate the password of local user "example" with an autogenerated one and verify on the Windows side with a successful login.

code

---
- name: windows change password
  hosts: all
  vars:
    usr_name: 'example'
    usr_password: 'SMJAo$%8AzU6'
  tasks:
    - name: change password
      ansible.windows.win_user:
        name: "{{ usr_name }}"
        password: "{{ usr_password }}"

execution

ansible-pilot $ ansible-playbook -i virtualmachines/win/inventory windows/user_changepassword.yml
PLAY [windows change password] ********************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [WindowsServer]
TASK [change password] ****************************************************************************
changed: [WindowsServer]
PLAY RECAP ****************************************************************************************
WindowsServer              : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ansible-pilot $

idempotency

ansible-pilot $ ansible-playbook -i virtualmachines/win/inventory windows/user_changepassword.yml
PLAY [windows change password] ********************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [WindowsServer]
TASK [change password] ****************************************************************************
ok: [WindowsServer]
PLAY RECAP ****************************************************************************************
WindowsServer              : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ansible-pilot $

before execution

win_user before execution

after execution

win_user after execution win_user after execution

code with ❤️ in GitHub

Conclusion

Now you know how to change local user passwords on Windows-like systems with Ansible.

See also: Create Local Groups on Windows with Ansible Playbooks

Change Password

- name: Change user password
  ansible.windows.win_user:
    name: john
    password: "{{ vault_new_password }}"
    update_password: always
  no_log: true

update_password Options

| Value | Behavior | |-------|----------| | always | Change password every run | | on_create | Only set when creating user |

Password with Policies

- name: Set password with policies
  ansible.windows.win_user:
    name: admin_user
    password: "{{ vault_admin_password }}"
    update_password: always
    password_expired: false
    password_never_expires: false
    user_cannot_change_password: false
  no_log: true

Force Password Change at Next Login

- name: Reset and require change
  ansible.windows.win_user:
    name: new_employee
    password: "TempPass123!"
    password_expired: true  # Forces change at next login
  no_log: true

Bulk Password Reset

- name: Reset passwords for team
  ansible.windows.win_user:
    name: "{{ item.name }}"
    password: "{{ item.password }}"
    update_password: always
  loop: "{{ vault_user_passwords }}"
  no_log: true
  loop_control:
    label: "{{ item.name }}"

Reset via PowerShell (Alternative)

- name: Reset via PowerShell
  ansible.windows.win_shell: |
    $SecurePass = ConvertTo-SecureString "{{ vault_password }}" -AsPlainText -Force
    Set-LocalUser -Name "{{ username }}" -Password $SecurePass
  no_log: true

Domain User Password

# Requires microsoft.ad collection
- name: Change AD user password
  microsoft.ad.user:
    name: jsmith
    password: "{{ vault_ad_password }}"
    update_password: always
    identity: CN=John Smith,OU=Users,DC=example,DC=com
  no_log: true

Verify Password Works

- name: Test credentials
  ansible.windows.win_shell: |
    $cred = New-Object PSCredential("{{ username }}", (ConvertTo-SecureString "{{ password }}" -AsPlainText -Force))
    Start-Process cmd.exe -Credential $cred -ArgumentList '/c echo success' -NoNewWindow -Wait
  register: test_result
  no_log: true
  ignore_errors: true

Linux vs Windows Password

| Feature | Linux (user module) | Windows (win_user) | |---------|--------------------|--------------------| | Password format | Hashed (SHA-512) | Plaintext (module hashes) | | Hash required | Yes | No | | Expiry | chage command | password_expired param | | Vault integration | Via filter | Direct |

FAQ

Does win_user accept plaintext passwords?

Yes — unlike the Linux user module, win_user accepts plaintext and handles hashing internally.

How do I enforce password complexity?

Password complexity is enforced by Windows Group Policy, not Ansible. Ensure GPO requires minimum length, uppercase, numbers, etc.

Should I use no_log?

Always — without no_log: true, passwords appear in Ansible output, logs, and AWX job history.

Related Articles

building an Ansible inventorythe Ansible Windows reference

Category: troubleshooting

Watch the video: Ansible Change Windows User Password: win_user Module (Examples) — Video Tutorial

Browse all Ansible tutorials · AnsiblePilot Home