forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Security > Forgot Administrator Password is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read

Win2003 Domain Controller lost Local Admin & Domain Admin pwds

Win2003 Domain Controller lost Local Admin & Domain Admin pwds

this thread has 2 replies and has been viewed 15518 times

Closed Thread
Thread Tools Search this Thread Display Modes
Old 7th January 2007, 21:13
OdinTrisk OdinTrisk is offline
 Join Date: Jan 2007
  6 month star 12 month star
 Posts: 2
 Reputation: OdinTrisk is on a distinguished road (10)
Unhappy Win2003 Domain Controller lost Local Admin & Domain Admin pwds

I think I tried everything I could find, the website it a great source of information. But to recap:

System is a Windows Server 2003 which is a Domain Controller (so has AD enabled). I have not been able to recover either the Local Administrator or the Domain Administrator passwords. I believe the system to have been keep fully patched (so maybe some holes were closed by Microsoft updates since 2003 RTM + SP1 + windows updates which may stop some of the methods from working ?).

The logon screen does not show a "NODENAME (This computer)" it only shows one entry in the drop down list which is that of the domain name. With careful use of mouse and keyboard it is possible to make the Domain dropdown display a blank value. But trying to login while this is the same makes no difference. This lack of "This computer" Is this normal ? (Note: I just looked at a few win2000 server with AD and they also only list their own domain in the drop down, so I guess thats normal).

I have tried the following techniques.

1) I have run Peter Nordhl Hagen's Linux based SAM/regedit. I have tried with a specified password and also with a "*" blank password option. Rebooting each time to test. I have also picked off the "Guest" account and unlocked it, set password never expired and set a specified password (and also "*" blank password). When I reboot the logon still indicates the Guest account is not activated. There were no errors reported by the Linux NTFS writing operations.

I have also tried the same CD to modify the recovery console passwords to disable the need for an admin password from the system recovery console. However again no errors reported by the Linux NTFS write operation but the recovery console still asks for a password.

It is as-if this tool does not do anything. Version 13/02/2006.

2) Booted from BartPE, using the overwrite LOGON.SCR with CMD.EXE hack. Then rebooting on the Win2003 and waiting 10 to 15 minutes, I get a CMD.EXE. While booted on Win2003 I have tried to hijack a windows service EXE but found I did not have sufficient permissions to modify either the registry or the "C:\Program Files\..." area. So I rebooted into BartPE and was able to overwrite the EXE file to make those changes, but I was unsuccessful in my first attempt with this. I think this maybe because I renamed the FIXPASSWORD.CMD (aka resetpass.cmd) to HIJACKEDAPP.EXE and maybe I need to rethink that approach as I don't think Windows uses magic numbers to detect a .CMD from a .EXE. This leads into the next point.

3) I added "insidepro" to BartPE but the option from the menu when booted is greyed out. Even though when building he ISO BartPE's builder did not indicate any errors. I have not researched into this situation much more than seeing it was not available to me to use anyway.

With "insidepro" the add-on claims to allow me to edit the registry, I'm thinking this would have allowed me to change the path of the Hijacked server in CurrentControlSet\Services\HijackedApp\... to point to a .CMD file.

4) [Duh.. Forgot to add this in my first edit of this post] I have been using F8 Directory Service Restore Mode on bootup to try to again Local Administrator access. When DSRM boots up it does a chkdisk, if it finds it unclean it forces a reboot. Going into DSRM option with cleanly unmounted filesystems gets me to a standard windows login screen with only Username/Password (no domain) box. I am unable to login from this, I am expecting this to be the "Local Administrator" login, which I was thinking all the offline password reset tools would be able to deal with. Can anyone confirm that they have first hand experience with the same setup in gaining login from DSRM.

5) Purposely Recite And Yearn In Noble Guise, however I didn't observe any guidance from a higher force while doing so .

Maybe I could try the registry editor from Petter Nordahl Hagen's Linux disc, to change something. Then use the LOGON.SCR hack to run REGEDIT to confirm the change was really committed, before I discount PNHs disc as just not working in any confirmable way.

I am a systems developer. While this situation has been been interesting and helped me understand more about these matters, does anyone happen to know of a definitive technical reference which explains exactly how the Windows platform local and AD account managent keep its records on disk and the differences between the various generations of server platform NT/2000/2003.

Last edited by OdinTrisk; 7th January 2007 at 21:20..
Old 7th January 2007, 21:54
OdinTrisk OdinTrisk is offline
 Join Date: Jan 2007
  6 month star 12 month star
 Posts: 2
 Reputation: OdinTrisk is on a distinguished road (10)
Default Re: Win2003 Domain Controller lost Local Admin & Domain Admin pwds

In understanding more about SRVANY.EXE INSTSRV.EXE I think my renaming of .CMD into .EXE was doomed to failure. I think I need to have to modify the registriy:

CD "C:\TEMP\Domain Controller Password Reset"
MOVE *.* ..
CD ..
RMDIR "Domain Controller Password Reset"

Then edit the registry using an offline editor:

HKLM\SYSTEM\CurrentControlSet\Services\Hijacked\Im agePath="%SystemRoot%\system32\cmd.exe /c %SystemDrive%\\Temp\\change-admin-passwd.cmd" [REG_EXPAND_SZ]

So what tool from run from BartPE that allows editing of the registry.

There is also discussion in a recent thread about needing to add a SLEEP delay of maybe 2 minutes to ensure that the reset of the infrastructure is started and running before issuing the "NET USER ..." command. I suppose I can create a SLEEP.EXE in Microsoft Visual Studio and call it early on in "change-admin-passwd.cmd"

Old 7th January 2007, 22:44
rvalstar's Avatar
rvalstar rvalstar is offline
Senior Member
 Join Date: Oct 2006
  6 month star 12 month star
 Location: Houston, TX
 Posts: 1,303
 Reputation: rvalstar is just really nicervalstar is just really nicervalstar is just really nicervalstar is just really nice (376)
Default Re: Win2003 Domain Controller lost Local Admin & Domain Admin pwds

You are searching the forums and that is good.

Sleep.exe comes w/ the W2K Resource Kit. Looks like it also comes w/ the W2K3 Resource Kit:

Sleep.exe appeared to help when working with a domain workstation. I don't believe the DC will have the same issues.

The LOGON.SCR trick stopped working long ago:

I'm going to tell you if you can get the INSTSRV / SRVANY bit to run, you'll be able to get control as you'll come in as a fully privileged SYSTEM session. Or if you can find a service to hijack and have the ability to write your own, that'll work too.

So if you can edit that registry to get SRVANY in there, look at the following links and you may be able to piece it together:

I prefer getting a CMD box to pop up. I'm thinking having SRVANY launch a "SOON 120 /INTERACTIVE CMD" (vs. AT) may be the ticket.

Do let me know how it goes and if you need any more help.


** Remember to give credit where credit is due and leave reputation points Click on that post's Yin-Yang icon where appropriate **

2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
New Domain, Need All users to have Local Admin spepi GPO 6 27th December 2006 17:15
No Admin passwords - Windows 2003 Standard Server R2 Domain Controller BarrowTH Forgot Administrator Password 2 8th November 2006 12:11
Disabled XP Local Admin - Lost Password - Heavy Local Security Dusk Forgot Administrator Password 3 20th July 2006 02:11
Admin local password in Domain ? kolola Forgot Administrator Password 1 3rd April 2006 23:40
w2k server domain controller admin password lost-how do we reset? mr.whistler Windows Server 2000 / 2003 / 2003 R2 2 1st November 2005 04:58

All times are GMT +3. The time now is 09:21.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri