none
Locked out of all Domain Administrator accounts on Windows Server 2008 R2 DC

    Question

  • Thanks in advance for your time. I have been unsuccessfully trying to backdoor back into my domain controller (Win Server 2008 R2), but maybe there's a utility or solution I haven't tried yet. Both mine and my backup admin's domain admin accounts are locked out (with no timeout, as this is a hardened/secured system). Some key details: Local admin is disabled, there is a third domain admin account that is also disabled, and I do have a standard domain user account on the system as well.

    Perhaps there is a utility I can use to simply enable the disabled backup admin account and change its password, or one I can use to promote my user account to an admin account?

    I was thinking one of those 2 options is an easier approach than trying to figure out to unlock my locked domain admin account? Just desperate for thoughts/opinions here, thanks for any info you can provide.

    Nate

    Monday, May 1, 2017 8:52 PM

All replies

  • You can try to reset the builtin admin password - That should unlocked it. Once done, consider renaming it.

    This will help but of course try what is mentioned in a test environment first and make sure your DCs are backed up before proceeding:
    https://www.top-password.com/blog/unlock-active-directory-user-account/
    http://binarynature.blogspot.fr/2013/01/reset-active-directory-administrator-password.html


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Monday, May 1, 2017 10:18 PM
  • Hi,
    As far as I know, while the administrator is locked, it will be unlocked automatically as soon as the correct password is used, in this case, you could have a try to reset its password by following the article as below:
    https://www.howtogeek.com/106333/how-to-reset-your-forgotten-domain-admin-password-on-server-2008-r2/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 3, 2017 6:39 AM
    Moderator
  • You can try resetting the Administrator account password which will give access back to your DC. I have tried this myself and found useful, You could try., Btw down time is required.

    Boot from WinServer2008 Image, Either USB or CD, 

    Get into the Command Promot, Replace utilman.exe of Local Disk C (Where your OS is installed, From that directory) with cmd, You can do this by the command 

    "ren utilman.exe utilman.exe.old"

    "copy cmd.exe utilman.exe"

    Restart the PC, in the login screen press Windows + U which will open CMD.,

    Run the command "net user administrator yourpassword"

    Im not sure whether it will work in your environment or not, Please try. 

    Wednesday, May 3, 2017 7:05 AM
  • Update/new challenge (and appreciate you taking time to read this)….long story short: Was able to bring up the command prompt at the Ease of Access button as you described, and unlocked the accounts using this command: “net user username /domain /active:yes”

    BUT, when I attempt a login on the DC with my domain admin account, I now get the error: “The security database on the server does not have a computer account for this workstation trust relationship”

    When I attempt a login from a workstation with the same account (after a reboot), I get the error: “The username or password is correct”. When I attempt a login with the newly unlocked user account (that hasn’t previously logged into this workstation), I get the error: “There are no logon servers available to service this request”

    I know I fudged up Active Directory when I tried to do a “Repair” on the NTDS database using that PC Unlocker utility, because it never completed, so I had to hard power down the DC, then couldn’t even log in with my standard domain user account (error was “The security database on the server does not have a computer account for this workstation trust relationship”). I still have access to this command window, but now have to start looking at what I can do to repair NTDS/Active Directory.

    Wednesday, May 3, 2017 4:53 PM
  • Hi,
    If you want to repair a corrupted ntds.dit file, you could have a try to use esentutl to repair Active Directory database:
    http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/UseEsentutlwhenNtdsutiltoolfailstorepairtheActiveDirectorydatabase.html
    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best Regards,
    Wendy Jiang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Tuesday, May 9, 2017 1:12 PM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, May 12, 2017 1:57 PM
    Moderator