Setting Windows Server Password in EC2 User Data

Question

I'd like to set a Windows Server 2012 R2 Administrator password in the AWS EC2 User Data, but something about what I'm doing isn't working.

I'm launching the instance with the following value for the User Data:

<powershell>
$user = [adsi]"WinNT://localhost/Administrator,user"
$user.SetPassword("Tm8LgmjBTigXq8PYifGG@RGQaXoqzT")
$user.SetInfo()
</powershell>

I'll use a different password for prod, but wanted to make sure I meet Windows password requirements for now.

As far as what AMI, I'm using, I started off with a trivial Packer build based on the Amazon-provided Windows Server 2012 R2 AMI. All this Packer build does right now is add a directory and then outputs the AMI ID it created. I then launch a new instance from that AMI.

But when I RDP into the instance, I continue to receive the error The user name or password is incorrect. Try again..

Here are the logs from EC2's "Get System Log":

2015/12/17 02:26:26Z: EC2ConfigMonitorState: 0
2015/12/17 02:26:27Z: Windows sysprep configuration complete.
2015/12/17 02:26:30Z: AMI Origin Version: 2015.10.26
2015/12/17 02:26:30Z: AMI Origin Name: Windows_Server-2012-R2_RTM-English-64Bit-Base
2015/12/17 02:26:30Z: OS: Microsoft Windows NT 6.3.9600
2015/12/17 02:26:30Z: OsVersion: 6.3
2015/12/17 02:26:30Z: OsProductName: Windows Server 2012 R2 Standard
2015/12/17 02:26:30Z: OsBuildLabEx: 9600.18066.amd64fre.winblue_ltsb.150928-1002
2015/12/17 02:26:30Z: Language: en-US
2015/12/17 02:26:30Z: EC2 Agent: Ec2Config service v3.10.442
2015/12/17 02:26:32Z: Message: Waiting for meta-data accessibility...
2015/12/17 02:26:32Z: Message: Meta-data is now available.
2015/12/17 02:26:35Z: AMI-ID: ami-0cd7c86d
2015/12/17 02:26:35Z: Instance-ID: i-9da97047
2015/12/17 02:26:40Z: Driver: AWS PV Network Device v7.3.2.0
2015/12/17 02:26:40Z: Driver: AWS PV Storage Host Adapter v7.3.2.0
2015/12/17 02:26:40Z: Ec2SetPassword: Disabled
2015/12/17 02:26:41Z: RDPCERTIFICATE-SUBJECTNAME: WIN-B5RLUMJ651G
2015/12/17 02:26:41Z: RDPCERTIFICATE-THUMBPRINT: A03F21FCE336140DA63828E3D61FB1274C6CF26E
2015/12/17 02:26:44Z: Message: Windows is Ready to use
2015/12/17 02:26:52Z: Info EC2Config configuration: status:3; region:us-west-2; iam:0; authz:0
2015/12/17 02:26:52Z: SSM Config: status:Inactive; iam:No; ErrorMessage:[[Unable to find credentials]]; RequestId:; ErrorCode:; ErrorType:Sender; StatusCode:0
Close

Would love some guidance from any Windows experts out there!

Update #1: I've taken a new approach. It appears AWS has a service called the EC2ConfigService which can be used to enable password generation from custom AMI's. Using Packer, I replaced the file C:\Program Files\Amazon\Ec2ConfigService\Settings\config.xml with one where the setting for Ec2SetPassword is Enabled, but it still doesn't seem to make a difference. I'll look for online examples of changing this to see if I can find any.

Answer 1

Ok, my colleague figured it out. Our Packer provisioner now looks like this:

"provisioners": [
        {
            "type": "powershell",
            "inline": [
                "# Enable the system password to be retrieved from the AWS Console after this AMI is built and used to launch code",
                "$ec2config = [xml] (get-content 'C:\\Program Files\\Amazon\\Ec2ConfigService\\Settings\\config.xml')",
                "($ec2config.ec2configurationsettings.plugins.plugin | where {$_.name -eq \"Ec2SetPassword\"}).state = \"Enabled\"",
                "$ec2config.save(\"C:\\Program Files\\Amazon\\Ec2ConfigService\\Settings\\config.xml\")"
            ]
        }
    ]

I validated that this works as expected. Packer builds the AMI, configures what it wants, and once the EC2 Instance is launched from that AMI, the password is reset, and it's possible to fetch the password once you pass in your EC2 Keypair.