Discussion:
Lost admin password of Windows 2003 Server DC
(too old to reply)
Fernando Ronci
2010-04-20 18:56:16 UTC
Permalink
Hi,

A client called me to restore access to their Windows 2003 Server acting as
a DC whose Administrators' passwords have been lost. Nobody can now log into
the server. I understand that resetting the local Administrator password on
non-Active Directory Win 2003 machines is pretty easy. There are lots of
utilities that you can download and run from a bootable CD and clear out the
passwords. I also understand that the mechanism that Windows 2003 Server
employs for storing usernames and passwords is different for Domain
Controller machines and WORK_GROUP ones, such that running any
password-resetting utility from a bootable CD is not enough for the former
case.
So my question is: How do I regain access to the Win 2003 Server machine
when neither the password of the local Administrator account nor the
"Directory Services Restore Mode Administrator Password" (asked by the
Active Directory Installation Wizard during the configuration of the DC) are
known? I followed the instructions on the site
http://www.nobodix.org/seb/win2003_adminpass.html to no avail. The
instructions detailed in that document fail because the log on window
doesn't recognize the LOCAL admin password, which I previously cleared out
from a bootable CD. The fact is that when you boot into Directory Restore
Service Mode (by pressing F8 at boot time) the requested password is the
"Directory Services Restore Mode Administrator Password", not the password
of the LOCAL Administrator account. I can confirm it because I tested it on
a non-production machine.
To put it simple: Is there a way or utility to override the security
policies, if any, and reset/delete all the administrative passwords?

Thank you in advance.
Fernando
Phillip Windell
2010-04-20 19:20:37 UTC
Permalink
How can somebody lose the Admin password? That is an account that gets used
all the time,...daily,...whoever has been using it should know it.

Look for other accounts on the machine (maybe even service accounts?) that
may have administrator access (member of Administrators Group or Domain
Admins Group),...then log in with one of those and reset the Administrator
Account Password.

Maybe others will have suggestions,...but apart of what I said, I think you
are just flat screwed.

Loosing Admin credentials,...how can anyone actually do that?
--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Post by Fernando Ronci
Hi,
A client called me to restore access to their Windows 2003 Server acting
as a DC whose Administrators' passwords have been lost. Nobody can now log
into the server. I understand that resetting the local Administrator
password on non-Active Directory Win 2003 machines is pretty easy. There
are lots of utilities that you can download and run from a bootable CD and
clear out the passwords. I also understand that the mechanism that Windows
2003 Server employs for storing usernames and passwords is different for
Domain Controller machines and WORK_GROUP ones, such that running any
password-resetting utility from a bootable CD is not enough for the former
case.
So my question is: How do I regain access to the Win 2003 Server machine
when neither the password of the local Administrator account nor the
"Directory Services Restore Mode Administrator Password" (asked by the
Active Directory Installation Wizard during the configuration of the DC)
are known? I followed the instructions on the site
http://www.nobodix.org/seb/win2003_adminpass.html to no avail. The
instructions detailed in that document fail because the log on window
doesn't recognize the LOCAL admin password, which I previously cleared out
from a bootable CD. The fact is that when you boot into Directory Restore
Service Mode (by pressing F8 at boot time) the requested password is the
"Directory Services Restore Mode Administrator Password", not the password
of the LOCAL Administrator account. I can confirm it because I tested it
on a non-production machine.
To put it simple: Is there a way or utility to override the security
policies, if any, and reset/delete all the administrative passwords?
Thank you in advance.
Fernando
Fernando Ronci
2010-04-21 02:31:03 UTC
Permalink
Thanks for your reply.
I'll check with the client which other accounts with admin access are
available.

Fernando
Post by Phillip Windell
How can somebody lose the Admin password? That is an account that gets
used all the time,...daily,...whoever has been using it should know it.
Look for other accounts on the machine (maybe even service accounts?) that
may have administrator access (member of Administrators Group or Domain
Admins Group),...then log in with one of those and reset the Administrator
Account Password.
Maybe others will have suggestions,...but apart of what I said, I think
you are just flat screwed.
Loosing Admin credentials,...how can anyone actually do that?
--
Phillip Windell
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Florian Frommherz [MVP]
2010-04-21 06:42:29 UTC
Permalink
Howdie!
Post by Fernando Ronci
Thanks for your reply.
I'll check with the client which other accounts with admin access are
available.
Is it the DSRM Admin you have lost or is that the Builtin\Administrator
account?

cheers,
Florian
Fernando Ronci
2010-04-21 11:48:03 UTC
Permalink
Both passwords are lost.

Thanks,
Fernando
Post by Florian Frommherz [MVP]
Is it the DSRM Admin you have lost or is that the Builtin\Administrator
account?
cheers,
Florian
Joe Dunn
2010-04-21 12:56:01 UTC
Permalink
If you have no DSRM password or password for any Domain Admin or Enterprise
Admin account there is nothing you can do as far as I'm aware, and I would
certainly hope not too.

For your information there is no 'local' administrator account on DCs as
they have no local SAM only the AD database and security. The
builtin\administrator account on a DC is for the entire domain. Yes the DSRM
password is different to the Administrator password because the AD database
is not available when booting into DSRM.

Best regards
Joe Dunn
MBCS, MCSE, MCTS, CCNA
Post by Fernando Ronci
Both passwords are lost.
Thanks,
Fernando
Post by Florian Frommherz [MVP]
Is it the DSRM Admin you have lost or is that the Builtin\Administrator
account?
cheers,
Florian
.
Florian Frommherz [MVP]
2010-04-21 13:05:30 UTC
Permalink
Howdie!
Post by Joe Dunn
If you have no DSRM password or password for any Domain Admin or Enterprise
Admin account there is nothing you can do as far as I'm aware, and I would
certainly hope not too.
Well, there are ways -- the DSRM-Admin's password is stored in the local
SAM of any DC. That is why you have to provide a DSRM admin password for
every new DC you dcpromo up. It isn't synced/replicated.

Cheers,
Florian
Fernando Ronci
2010-04-21 18:05:19 UTC
Permalink
Thanks !

Yes, I knew that Win 2003 handles very differently usernames and passwords
in Workgroup and DC installations.

Fernando
Post by Joe Dunn
If you have no DSRM password or password for any Domain Admin or Enterprise
Admin account there is nothing you can do as far as I'm aware, and I would
certainly hope not too.
For your information there is no 'local' administrator account on DCs as
they have no local SAM only the AD database and security. The
builtin\administrator account on a DC is for the entire domain. Yes the DSRM
password is different to the Administrator password because the AD database
is not available when booting into DSRM.
Best regards
Joe Dunn
MBCS, MCSE, MCTS, CCNA
Phillip Windell
2010-04-22 18:44:19 UTC
Permalink
Well if you ever get through this,... create at least one other additional
account that is a member of the Domain Admins Group. This will serve as a
stand-by account in case something gets fouled up with the normal admin
account.

*Keep records* of the Administrator Passwords,...multiple copies,...stored
in different "safe" places.
--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Post by Fernando Ronci
Thanks !
Yes, I knew that Win 2003 handles very differently usernames and passwords
in Workgroup and DC installations.
Fernando
Post by Joe Dunn
If you have no DSRM password or password for any Domain Admin or Enterprise
Admin account there is nothing you can do as far as I'm aware, and I would
certainly hope not too.
For your information there is no 'local' administrator account on DCs as
they have no local SAM only the AD database and security. The
builtin\administrator account on a DC is for the entire domain. Yes the DSRM
password is different to the Administrator password because the AD database
is not available when booting into DSRM.
Best regards
Joe Dunn
MBCS, MCSE, MCTS, CCNA
Fernando Ronci
2010-04-23 12:11:27 UTC
Permalink
Thanks Phillip,

I believe the client gave up. The last time I checked they were considering
re-installing the Operating System and starting over.

Fernando
Post by Phillip Windell
Well if you ever get through this,... create at least one other additional
account that is a member of the Domain Admins Group. This will serve as a
stand-by account in case something gets fouled up with the normal admin
account.
*Keep records* of the Administrator Passwords,...multiple copies,...stored
in different "safe" places.
--
Phillip Windell
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Phillip Windell
2010-04-23 20:26:30 UTC
Permalink
If they are a small system that won't be so bad. If they lost something as
important as the admin password then the question becomes, in how many other
areas have they been sloppy? So starting over clean can be a good thing.
--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Post by Fernando Ronci
Thanks Phillip,
I believe the client gave up. The last time I checked they were
considering re-installing the Operating System and starting over.
Fernando
Post by Phillip Windell
Well if you ever get through this,... create at least one other
additional account that is a member of the Domain Admins Group. This
will serve as a stand-by account in case something gets fouled up with
the normal admin account.
*Keep records* of the Administrator Passwords,...multiple
copies,...stored in different "safe" places.
--
Phillip Windell
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Continue reading on narkive:
Loading...