# Windows Plugin

{% hint style="warning" %}
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

* [Password Rotation with KeeperPAM](https://docs.keeper.io/en/keeperpam/secrets-manager/password-rotation)
* Commander [KeeperPAM commands](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/keeperpam-commands)
  {% endhint %}

This plugin allows rotating a windows user's password using the `net user` command.

### Prepare a Record for Rotation

### Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

{% hint style="info" %}
See the [Troubleshooting ](https://docs.keeper.io/en/keeperpam/troubleshooting-commander-cli#typed-vs-untyped-records-v3-vs-v2)section for more information on legacy vs typed records
{% endhint %}

### Set the Login Name

**Populate the 'Login' field of the Keeper record with the login to use with this rotation.**

This plugin rotates passwords for both local and Active Directory accounts. When rotating Active Directory password use `DOMAIN\USERNAME` syntax for Login field.

![](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FH1Vr6GKR8x1XjZHpNZyK%2Fimage.png?alt=media\&token=1e71b489-5ae6-4071-9e67-17568991b47e)

#### Add the following Custom Fields to the record that you want to rotate within Keeper

| Label       | Value                                                                       | Comment                                                                                                                          |
| ----------- | --------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- |
| cmdr:plugin | windows                                                                     | (Optional) Tells Commander to use Windows rotation. This should be either set to the record, or supplied to the rotation command |
| cmdr:rules  | <p># uppercase, # lowercase, # numeric, # special'</p><p>(e.g. 4,6,3,8)</p> | (Optional) Password generation rules                                                                                             |

![A Keeper Record setup for Windows password rotation](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJXOXEifAmpyvNVL1to%2F-Mf3OKL0C-A5D2nQFew1%2F-Mf4pBnfEpYfewUkl_Fr%2Fimage.png?alt=media\&token=6dd6e075-00b3-40e4-83b0-edb96333b89a)

## Rotate

To rotate Windows passwords, use the `rotate` command in Commander. Pass the command a record title or UID (or use `--match` with a regular expression to rotate several records at once)

```
rotate "Windows Example" --plugin windows
```

{% hint style="info" %}
The plugin can be supplied to the command as shown here, or added to a record field (see options above).\
Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
{% endhint %}

#### Output

After rotation is completed, the new password will be stored in the `Password` field of the record