Ever forget the administrator password? Probably not, but you may have walked into a clients office only to find no one knows the password. Resetting the local machine password is easy with a wide variety of tools available to do it. I personally like Locksmith which is included in the ERD Commander from Winternals, but there is a free version called NTPasswd that also works great. These will allow you to gain access to the local machine but what if you need to reset the Domain Administrators password? Well keep reading :)
Before we can begin, there are a few prerequisites,
- you need the local machine administrator username and password,
- physical access to the Domain Controller
- CMD.exe,
- SRVANY.exe
- INSTSRV.exe from the resource kit (
With these in hand we are ready to begin. The following is for Windows Server 2003 only, for a Windows 2000 Server version scroll to the end. The first step is to reboot the DC and enter into Directory Services Recovery Mode. Press F8 after POST but before the bootlogo appears and select the mode from the list. When the login screen appears, login with the local admins username and password. You must enter the local admin username and password because Active Directory is disabled in Directory Services Recovery Mode.
Create a folder on C:\ called RecoverPWD and copy CMD.exe SRVANY.exe and INSTSRV.exe to this folder. Open up a command prompt and type:
C:\RecoverPWD\INSTSRV.exe RecoverPWD "C:\RecoverPWD\SRVANY.exe"
Press Enter This will install a new service called RecoverPWD. Now we need to configure the properties of the service. To do this we need to edit the registry. Run regedit and browse to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RecoverPWD
We need to create a subkey called "Parameters" and under this we need to create two values. name:
- Application type: REG_SZ value: C:\RecoverPWD\CMD.exe name:
- AppParameters type: REG_SZ value: /k net user NewAdmin P@55Word /domain
Close regedit. From a command prompt run Services.msc and locate RecoverPWD in the list. Ensure it is set to Automatic. Reboot the DC and let it start normally, once the login screen appears login with username NewAdmin and password P@55Word. Now that you have logged on as a domain administrator, you can reset the original domain administrator password. Once you have reset the original domain admin password, delete the NewAdmin account and remove the RecoverPWD service.
To remove the service open up a command prompt and type:
net stop RecoverPWD
sc delete RecoverPWD
On Windows 2000 DC's its even easier! Reboot the server and enter Direcroty Services Repair Mode. Login to the DC with the local machine administrator username and password. Launch regedit and browse to:
HKEY_USERS\.Default\ControlPanel\Desktop
Change the following values:
- SCRNSAVE.EXE - change from logon.scr to cmd.exe
- ScreenSaveTimeout - change from 900 to 10
- ScreenSaveActive - change to 1
Close the registry editor and reboot the server, when the logon screen appears wait 10 seconds, the logon screensaver will start and CMD.exe will run. Run DSA.msc to launch the Active Directory Users and Computers MMC. Reset the Domain Administrator password and close the MMC. Type EXIT at the command prompt to close CMD.exe. Hit CTRL+ALT+DEL and login with the Domain Administrator username and the new password :)
Be sure to change the regisrty settings back the the default. That's it! Pretty easy, maybe too easy. This should make you think twice about the physical security of your servers!
For more information see:
NTPasswd Offline NT Password and Registry Editor