Resetting domain administrator password
From Notebook
Before we can begin, there are a few prerequisites, you need the local machine administrator username and password, physical access to the domain controller and CMD.exe, SRVANY.exe and INSTSRV.exe from the Resource Kit (CMD.exe is located in %systemroot%\System32). With these in hand we are ready to begin. The following is for Windows Server 2003 only, for a Windows 2000 Server version scroll to the end.
The first step is to reboot the DC and enter into Directory Services Recovery Mode. Press F8 after POST but before the bootlogo appears and select the mode from the list. When the login screen appears, login with the local admins username and password. You must enter the local admin username and password because Active Directory is disabled in Directory Services Recovery Mode.
Create a folder on C:\ called RecoverPWD and copy CMD.exe, SRVANY.exe and INSTSRV.exe to this folder. Open up a command prompt and type:
C:\RecoverPWD\INSTSRV.exe RecoverPWD "C:\RecoverPWD\SRVANY.exe"
This will install a new service called RecoverPWD.
Now we need to configure the properties of the service. To do this we need to edit the registry. Run regedit and browse to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RecoverPWD
We need to create a subkey called "Parameters" and under this we need to create two values.
name: Application type: REG_SZ value: C:\RecoverPWD\CMD.exe name: AppParameters type: REG_SZ value: /k net user NewAdmin P@55Word /domain
Close regedit. From a command prompt run Services.msc and locate RecoverPWD in the list. Ensure it is set to Automatic. Reboot the DC and let it start normally, once the login screen appears login with username NewAdmin and password P@55Word. Now that you have logged on as a domain administrator, you can reset the original domain administrator password. Once you have reset the original domain admin password, delete the NewAdmin account and remove the RecoverPWD service. To remove the service open up a command prompt and type:
net stop RecoverPWD
sc delete RecoverPWD
On Windows 2000 DC's its even easier! Reboot the server and enter Directory Services Repair Mode. Login to the DC with the local machine administrator username and password. Launch regedit and browse to:
HKEY_USERS\.Default\ControlPanel\Desktop
Change the following values:
- SCRNSAVE.EXE - change from logon.scr to cmd.exe
- ScreenSaveTimeout - change from 900 to 10
- ScreenSaveActive - change to 1
Close the registry editor and reboot the server, when the logon screen appears wait 10 seconds, the logon screensaver will start and CMD.exe will run. Run DSA.msc to launch the Active Directory Users and Computers MMC. Reset the Domain Administrator password and close the MMC. Type EXIT at the command prompt to close CMD.exe. Hit CTRL+ALT+DEL and login with the Doamain Administrator username and the new password :) Be sure to change the regisrty settings back the the default.
That's it! Pretty easy, maybe too easy. This should make you think twice about the physical security of your servers!
