none
Kind of Locked out Active Directory (Server 2008 R2 Std)

    Question

  • Hi,
         I have a client where we have a new server running Server 2008 R2 Standard. This server does not hold any information except for the Active Directory. Somehow the admin password was changed. I believe this was done due to a disgruntled employee (who was at an executive position) being let go. They had RDP access to the server. We have been locked out of the server, but all workstations are working just fine, so it's not a complete emergency. We still also have access to the data server through its local account. I would like to know if there is anyone who could help me, or if Microsoft themselves would be able to help me get back into MY server. I really don't want to format the machine and redo AD.

    EDIT: I DO have access to the local account of the AD server through Active Directory Recovery Services.

    • Edited by Jimboscomp Thursday, March 10, 2011 12:31 AM added information
    Thursday, March 10, 2011 12:25 AM

Answers

  • The following has been tested on several SBS 2008 servers (Domain Controllers).
    To give credit it originally came from:
    http://fracktured.com/2010/09/03/how-to-reset-lost-sbs-2008-domain-admin-password/
    But is no longer there. You can watch a newer video at:
    http://www.youtube.com/watch?v=Ar-VoO9ogHc&feature=player_embedded#
    Or I saved the documentation:

    "Sep.03, 2010 in tech
    most techs worth half a damn have no doubt heard, and probably even used the Offline NT Password & Registry Editor to reset an unknown password on the various “NT” flavors of Windows (2000, XP, Vista, etc.). one limitation, though, is that it is useful only on local user accounts, not domain user accounts. so if you run into a situation like i did where you need to reset a lost or forgotten domain admin password on an Microsoft Small Business Server 2008 box, the Offline NT Password Reset tool won’t be of any use.
    a google search will quickly find several results for “reset lost server 2008 domain password,” but many of them will direct you to utilities you have to pay for, or will require you to download certain admin tools from microwhore, ahem, micro$oft. however, all you need is a Server 2008 installation DVD, or in my case, the Small Business Server 2008 installation DVD.
    • restart the server and boot to the DVD
    • after selecting the appropriate installation language, select Repair Your Computer
    • start command prompt, and change the command line path to C:\ by entering c:\
    • enter cd c:\windows\system32
    • enter ren utilman.exe *.bak
    • enter copy cmd.exe utilman.exe
    • restart the server. this time do not boot to the DVD, just boot normally
    • at the login screen, press the Windows+U keys on your keyboard. this will bring up the command prompt
    • enter net user [server admin username] [new password]
    o on a regular Server 2008 install, [server admin username] will probably be administrator, but it could be any domain username with domain admin rights. [new password] will be the new password you want to set. if password complexity is enabled (which is the default on Server 2008) you will need have some UPPER case letters and/or numbers and/or symbols in the password.
    o on SBS 2008, the administrator account is disabled by default. even if you reset the administrator password, you still won’t be able to login because the account will still be disabled. instead of administrator, you would use the server admin user name that was used when the server was first setup. if you don’t know the user name, you can enter net user to get a list of all domain user accounts. it won’t show you what users have what privileges, but it could help jog your memory.
    • now go back to the login screen and log in with the user name and new password you just set. for user name, be sure to use the domain\username format
    • once you have verified that you can log in with the new password, repeat steps 1-4
    • enter ren utilman.bak *.exe
    • restart the server and boot normally
    and that’s it! "


    Rob
    Thursday, March 10, 2011 1:35 AM
  • Hi,

     

    If you have more than one domain administrators, you may use other domain administrator to reset the locked one.

     

    If you don’t have another domain administrator, the method “RobWill” provided is also possible to fix the issue for you, although it is not supported by Microsoft.

     

    After reset the domain administrator password, it is recommended for you to protect the domain controller by accessing the physical machine. In addition, you may consider deploying the software restriction policy by using the Hash rule. In this way, the fake “Utilman.exe” will not be executed.

     

    How To use Software Restriction Policies in Windows Server 2003 -

    http://support.microsoft.com/kb/324036

     

    However, in general, to protect your domain environment, you should plan good physical machine access policy and protection mechanism. As described in the following TechNet article, if a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

     

    10 Immutable Laws of Security

    http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

     

    A user could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, I've configured the BIOS on my computer to prompt for a password when I turn the power on. No problem – if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways). Meanwhile, he could remove the hard drive from your computer, install it into his computer, and read it.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, March 10, 2011 8:18 AM
    Moderator

All replies

  • The following has been tested on several SBS 2008 servers (Domain Controllers).
    To give credit it originally came from:
    http://fracktured.com/2010/09/03/how-to-reset-lost-sbs-2008-domain-admin-password/
    But is no longer there. You can watch a newer video at:
    http://www.youtube.com/watch?v=Ar-VoO9ogHc&feature=player_embedded#
    Or I saved the documentation:

    "Sep.03, 2010 in tech
    most techs worth half a damn have no doubt heard, and probably even used the Offline NT Password & Registry Editor to reset an unknown password on the various “NT” flavors of Windows (2000, XP, Vista, etc.). one limitation, though, is that it is useful only on local user accounts, not domain user accounts. so if you run into a situation like i did where you need to reset a lost or forgotten domain admin password on an Microsoft Small Business Server 2008 box, the Offline NT Password Reset tool won’t be of any use.
    a google search will quickly find several results for “reset lost server 2008 domain password,” but many of them will direct you to utilities you have to pay for, or will require you to download certain admin tools from microwhore, ahem, micro$oft. however, all you need is a Server 2008 installation DVD, or in my case, the Small Business Server 2008 installation DVD.
    • restart the server and boot to the DVD
    • after selecting the appropriate installation language, select Repair Your Computer
    • start command prompt, and change the command line path to C:\ by entering c:\
    • enter cd c:\windows\system32
    • enter ren utilman.exe *.bak
    • enter copy cmd.exe utilman.exe
    • restart the server. this time do not boot to the DVD, just boot normally
    • at the login screen, press the Windows+U keys on your keyboard. this will bring up the command prompt
    • enter net user [server admin username] [new password]
    o on a regular Server 2008 install, [server admin username] will probably be administrator, but it could be any domain username with domain admin rights. [new password] will be the new password you want to set. if password complexity is enabled (which is the default on Server 2008) you will need have some UPPER case letters and/or numbers and/or symbols in the password.
    o on SBS 2008, the administrator account is disabled by default. even if you reset the administrator password, you still won’t be able to login because the account will still be disabled. instead of administrator, you would use the server admin user name that was used when the server was first setup. if you don’t know the user name, you can enter net user to get a list of all domain user accounts. it won’t show you what users have what privileges, but it could help jog your memory.
    • now go back to the login screen and log in with the user name and new password you just set. for user name, be sure to use the domain\username format
    • once you have verified that you can log in with the new password, repeat steps 1-4
    • enter ren utilman.bak *.exe
    • restart the server and boot normally
    and that’s it! "


    Rob
    Thursday, March 10, 2011 1:35 AM
  • Hi,

     

    If you have more than one domain administrators, you may use other domain administrator to reset the locked one.

     

    If you don’t have another domain administrator, the method “RobWill” provided is also possible to fix the issue for you, although it is not supported by Microsoft.

     

    After reset the domain administrator password, it is recommended for you to protect the domain controller by accessing the physical machine. In addition, you may consider deploying the software restriction policy by using the Hash rule. In this way, the fake “Utilman.exe” will not be executed.

     

    How To use Software Restriction Policies in Windows Server 2003 -

    http://support.microsoft.com/kb/324036

     

    However, in general, to protect your domain environment, you should plan good physical machine access policy and protection mechanism. As described in the following TechNet article, if a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

     

    10 Immutable Laws of Security

    http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

     

    A user could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, I've configured the BIOS on my computer to prompt for a password when I turn the power on. No problem – if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways). Meanwhile, he could remove the hard drive from your computer, install it into his computer, and read it.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, March 10, 2011 8:18 AM
    Moderator