Manage accounts and credentials on Windows VMs
By default, Windows virtual machine (VM) instances authenticate by using ausername and a password instead of by using SSH. If you don'tenable SSH for Windows, you must generatenew credentials before connecting to the VM. This document describes how togenerate credentials and manage accounts on Windows VMs.
You can also use this process to generate new credentials if you no longer havethe original credentials. If you use this process to generate new credentialsfor existing users, any data that is encrypted with the current credentials,such as encrypted files or stored passwords, might not be retained.
Caution: If the VM is running an Active Directory domain controller, generatingnew credentials can cause the password of an existing domain user to be reset ora new domain user to be created. To prevent credential generation,disable the account manager.Accounts disabled by default
The following accounts are built-in to Windows Server and are disabled bydefault:
AdministratorGuestDefaultAccountWDAGUtilityAccount
For these accounts, the Windows guest agent can reset the credentials. Resettingthe credentials won't do the following:
- Enable a disabled built-in account
- Set additional policies so that the user can sign in to the VM
The built-in accounts are not guaranteed to have the default names because thelocal security policy, which is used by many organizations, can rename theaccounts. If the accounts were renamed, you can use the original names.
Caution: For credential management features to work correctly, you must useEnglish for key account and group names, such asAdministrator andAdministrators. The system relies on these specific English names to identifyand manage credentials. Using non-English names for these accounts or groups cancause actions such as generating or resetting passwords to fail.Before you begin
- Create a Windows Server VM.
- Ensure that the instance is online and ready.
- If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.- Set a default region and zone.
Required roles
To get the permissions that you need to generate credentials for Windows Server VMs, ask your administrator to grant you the following IAM roles:
- Compute Instance Admin (v1) (
roles/compute.instanceAdmin.v1) on the VM or project - If your VM uses a service account:Service Account User (
roles/iam.serviceAccountUser) on the service account or project
For more information about granting roles, seeManage access to projects, folders, and organizations.
You might also be able to get the required permissions throughcustom roles or otherpredefined roles.
Generate credentials
Generate credentials for Windows Server VMs by using the Google Cloud console or theGoogle Cloud CLI.
Note: Before you can generate credentials for VMs that you imported toCompute Engine, you mustenable the COM4 port in the Windows Device Manager.Console
Go to theVM instances page.
Click the Windows Server VM to change the password on.
On theVM instance details page, inRemote access, clickSetWindows password.
In theUsername field, enter the username to change the password for,or enter a new username to create a new user.
ClickSet.
gcloud
Run the following
gcloud compute reset-windows-passwordcommand:gcloud compute reset-windows-passwordVM_NAME
Replace
VM_NAMEwith the name of the VM to change thepassword for.Review the information in the confirmation prompt:
This command creates an account and sets an initial password for theuser [username] if the account does not already exist.If the account already exists, resetting the password can cause theLOSS OF ENCRYPTED DATA secured with the current password, includingfiles and stored passwords.For more information, see:https://cloud.google.com/compute/docs/operating-systems/windows#resetWould you like to set or reset the password for [username] (Y/n)?
After confirming the previous prompt, review the confirmation of newcredentials, which appears as follows:
Resetting and retrieving password for [username] on [instance-name]Updated [https://www.googleapis.com/compute/v1/projects/project-name/zones/zone/instances/instance-name].ip_address:ip-addresspassword:passwordusername:username
You can nowconnect to the instanceby using the new credentials.
Change your password
After youconnect to your Windows ServerVM, you can use the WindowsCommand Prompt or the Windows user interface to change your password.
Command Prompt
Use thenet usercommand to change the password.
Windows Server 2016
After the desktop finishes loading, click theStart menu icon.
ClickControl Panel.
Under theUser Accounts icon, click eitherChange Account Type orAdd or remove user accounts.
Select the account that you want to modify.
ClickChange the password.
Enter your current password and your new password.
ClickChange password to save your changes.
Windows Server 2019
After the desktop finishes loading, click theStart menu icon.
ClickSettings.
ClickAccounts.
ClickSign-in options.
UnderPassword, clickChange.
Enter your current password and clickNext.
Enter your new password in theNew password field and enter it againin theRe-enter password field.
Enter aPassword hint, and clickNext.
ClickFinish.
Windows Server 2022
After the desktop finishes loading, click theStart menu icon.
ClickSettings.
ClickAccounts.
ClickSign-in options.
ClickPassword and clickChange.
Enter your current password and clickNext.
Enter your new password in theNew password field and enter it againin theConfirm password field.
Enter aPassword hint, and clickNext.
ClickFinish.
Create a local user account
Command Prompt
Use thenet userto create a new user.
Example:
net userUSERNAMEPASSWORD /add
ReplaceUSERNAME with your username andPASSWORD with your password of choice.
Windows Server 2016
After the desktop finishes loading, click theStart menu icon.
ClickControl Panel.
Under theUser Accounts icon, click eitherChange Account Type orAdd or remove user accounts.
ClickAdd a user account.
Set the username, password and password hint, then clickNext.
After an account is created clickFinish.
Windows Server 2019
After the desktop finishes loading, click theStart menu icon.
ClickSettings.
ClickAccounts.
ClickOther users, thenAdd someone else on this PC.
Skip all the Microsoft account related steps and clickAdd a user without a Microsoft account.
Set the username, password and password hint, then clickNext.
Windows Server 2022
After the desktop finishes loading, click theStart menu icon.
ClickSettings.
ClickAccounts.
ClickOther users, thenAdd someone else on this PC.
Skip all the Microsoft account related steps and clickAdd a user without a Microsoft account.
Set the username, password and password hint, then clickNext.
Grant local users Administrator privileges
Adding a local account to the Administrator group will give you administrativeprivileges on your Windows VM. See more information onLocal Accounts.
Administrator andAdministrators. The system relies on these specific English names to identifyand manage credentials. Using non-English names for these accounts or groups cancause actions such as generating or resetting passwords to fail.Command Prompt
Use thenet localgroupto add a user to the Administrator group.
Example:
net localgroup administratorsUSERNAME /add
ReplaceUSERNAME with the username of choice.
/add with/delete if you want to remove a user from thelocal administrator group.Windows Server 2016
After the desktop finishes loading, click theStart menu icon.
ClickControl Panel.
Under theUser Accounts icon, click eitherChange Account Type orAdd or remove user accounts.
Select the account that you want to change.
ClickChange the account type.
SelectAdministrator and confirm by clickingChange Account Type.
Windows Server 2019
After the desktop finishes loading, click theStart menu icon.
ClickSettings.
ClickAccounts.
ClickOther users then click the account that you want to change.
ClickChange account type.
From the drop-down, select theAdministrator account type and clickOK.
Windows Server 2022
After the desktop finishes loading, click theStart menu icon.
ClickSettings.
ClickAccounts.
ClickOther users then click the account that you want to change.
ClickChange account type.
From the drop-down, select theAdministrator account type and clickOK.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.