locked
Lost AD Administrator Credentials RRS feed

  • Question

  • We've taken over the administration of a customer's 2008 Server which is home to their AD and their Exchange 2007 server.

    Sadly, noone has the administrator credentials as it hasn't been logged in to since it was originally installed by their old consultant.

    I've tried to use DSRM to create a srvany task to start automatically on boot to reset the administrator password as detailed in a number of posted solutions online, such as the one at petri.co.il, but this doesnt seem to work - thanks to the way that 2k8 insists on a non-"administrator" username, I suspect we may even be using the wrong username.

    Does anyone have any insight on how we can recover access to the system using DSRM? It is a little surprising to me that there doesn't appear to be any documented process to mount and alter the AD tree - is DSRM literally only good for dropping in replacement copies of the AD tree?
    Thursday, June 11, 2009 12:06 PM

Answers

    • Marked as answer by Hatclub Monday, June 15, 2009 2:16 PM
    Saturday, June 13, 2009 7:23 AM
  • Yes - thankyou so much.

    For the purposes of preserving a copy of the basic premise in case that blog goes down or the post is deleted:

    Boot from windows DVD, repair, Command Prompt, move c:\windows\system32\Utilman.exe to Utilman.exe.bak, copy cmd.exe in it's place, reboot from hard disk, win-u at loginscreen (or press accessibility button) - command prompt launches.

    From there you can work out who your admin user is fairly trivially, and change their password.

    Once you've done that MAKE SURE YOU *AT LEAST* REMOVE your 'new' utilman.exe - otherwise you'll be instantly leaving your system with an easily accessible command prompt which is available without authentication to any remote TS clients too! You can delete utilman.exe (the one that's the command prompt) while the system is running but you wont be able to rename the backup file to just Utilman.exe without booting fresh from the DVD and going back in.
    Personally, I would be concerned about not having a properly secured utilman.exe in place - it is not inconceivable that something else could be exploited to make a fresh copy of cmd.exe or similar in it's place - and creating files in c:\windows\system32 is something that doesn't need full system level privileges - and then it can be run trivially by RDPing to the box - so don't be lazy, reboot that second time from the DVD and move the file back.
    • Marked as answer by Hatclub Monday, June 15, 2009 2:28 PM
    Monday, June 15, 2009 2:28 PM

All replies

  • Hi there,

    Please refer this KB Article hope it helps you

    http://support.microsoft.com/kb/961320

    Thanks
    Hussain
    Thursday, June 11, 2009 1:30 PM
  • Hi Hussain,

    Thanks for you response, but sadly you misunderstand my situation - we (fortunately) know the DSRM password, but do not know the credentials for the AD Administrator.

    The tool you link to is to enable the DSRM password to be copied from the password of a given AD user each time they change their pass.
    Saturday, June 13, 2009 1:09 AM
    • Marked as answer by Hatclub Monday, June 15, 2009 2:16 PM
    Saturday, June 13, 2009 7:23 AM
  • Yes - thankyou so much.

    For the purposes of preserving a copy of the basic premise in case that blog goes down or the post is deleted:

    Boot from windows DVD, repair, Command Prompt, move c:\windows\system32\Utilman.exe to Utilman.exe.bak, copy cmd.exe in it's place, reboot from hard disk, win-u at loginscreen (or press accessibility button) - command prompt launches.

    From there you can work out who your admin user is fairly trivially, and change their password.

    Once you've done that MAKE SURE YOU *AT LEAST* REMOVE your 'new' utilman.exe - otherwise you'll be instantly leaving your system with an easily accessible command prompt which is available without authentication to any remote TS clients too! You can delete utilman.exe (the one that's the command prompt) while the system is running but you wont be able to rename the backup file to just Utilman.exe without booting fresh from the DVD and going back in.
    Personally, I would be concerned about not having a properly secured utilman.exe in place - it is not inconceivable that something else could be exploited to make a fresh copy of cmd.exe or similar in it's place - and creating files in c:\windows\system32 is something that doesn't need full system level privileges - and then it can be run trivially by RDPing to the box - so don't be lazy, reboot that second time from the DVD and move the file back.
    • Marked as answer by Hatclub Monday, June 15, 2009 2:28 PM
    Monday, June 15, 2009 2:28 PM