Locked out of SBS Domain by disabled Admin accounts

Hi
In need of urgent help.
Have a friend running SBS 2008 whereby they recently changed support and in
doing so the new Support disabled two accounts (the main Admin account and
the
Backup Admin account) thinking they were unneccesary accounts only to then
realise the two accounts were the only Administrator accounts.

Apart from two Client profile accounts these were the only four accounts
created out of the box when the SBS was installed. Subsequently no one can
currently log onto the SBS Server as Domain Admin as the only two accounts
that had log on rights to the Server have been disabled.

I can gain access to the Server via the Local Administrator account in
Directory Restore Mode...but thats about it.

Is there anyway of re-enabling the Admin accounts to regain control of the
SBS server. We can gain physical access to the server and can reboot if
needed. Several people have given advice regarding changing passwords but
the same message regarding the accounts being disabled is displayed on trying
to use the reset accounts.

Is there any other Administrator accounts that exist on SBS that I could use
to gain access to the Domain again?

Russ - www.SBITS.Biz wrote:
> First thing to do is FIRE the other IT person.
>
> Since this is SBS2008
> Do a Restore on System state before the other IT @#$#@ messed things
> up.
> Russ

Probably be my first choice too, Russ.

The other would be to get injected system startup to do something like;

dsmod user "CN=Admin,CN=Users,DC=microsoft,DC=com" -disabled NO

(using the right DN for the known administrator - no SBS 08 server at hand
to validate a DN)

>
>
> "Jon CC" <> wrote in message
> news:8D666D93-879A-489B-9497-...
>> Hi
>> In need of urgent help.
>> Have a friend running SBS 2008 whereby they recently changed support
>> and in
>> doing so the new Support disabled two accounts (the main Admin
>> account and the
>> Backup Admin account) thinking they were unneccesary accounts only
>> to then realise the two accounts were the only Administrator
>> accounts. Apart from two Client profile accounts these were the only four
>> accounts created out of the box when the SBS was installed.
>> Subsequently no one can currently log onto the SBS Server as Domain
>> Admin as the only two accounts that had log on rights to the Server
>> have been disabled. I can gain access to the Server via the Local
>> Administrator account
>> in Directory Restore Mode...but thats about it.
>>
>> Is there anyway of re-enabling the Admin accounts to regain control
>> of the SBS server. We can gain physical access to the server and can
>> reboot if needed. Several people have given advice regarding
>> changing passwords but the same message regarding the accounts being
>> disabled is displayed on trying
>> to use the reset accounts.
>>
>> Is there any other Administrator accounts that exist on SBS that I
>> could use
>> to gain access to the Domain again?

--
/kj

Not sure if it works in DSRM or not, but I'd think it would:

From a command line:
To enаble а user, use the following command:

> dsmod user <UserDN> -disаbled no

To disаble а user, use the following command:

> dsmod user <UserDN> -disаbled yes

--
-----------------------------------------------
Les Connor [SBS MVP]

"Jon CC" <> wrote in message
news:8D666D93-879A-489B-9497-...
> Hi
> In need of urgent help.
> Have a friend running SBS 2008 whereby they recently changed support and
> in
> doing so the new Support disabled two accounts (the main Admin account and
> the
> Backup Admin account) thinking they were unneccesary accounts only to then
> realise the two accounts were the only Administrator accounts.
>
> Apart from two Client profile accounts these were the only four accounts
> created out of the box when the SBS was installed. Subsequently no one can
> currently log onto the SBS Server as Domain Admin as the only two accounts
> that had log on rights to the Server have been disabled.
>
> I can gain access to the Server via the Local Administrator account in
> Directory Restore Mode...but thats about it.
>
> Is there anyway of re-enabling the Admin accounts to regain control of the
> SBS server. We can gain physical access to the server and can reboot if
> needed. Several people have given advice regarding changing passwords but
> the same message regarding the accounts being disabled is displayed on
> trying
> to use the reset accounts.
>
> Is there any other Administrator accounts that exist on SBS that I could
> use
> to gain access to the Domain again?
>

Russ - www.SBITS.Biz wrote:
> I'd be worried that they not only messed up Admin Accounts
> But OTHER things.

Very true, Russ. Often the sledge hammer hits more than the top of the thumb
tack.

:-)


>
> That's why Restoring to a point "BEFORE" they even walked into the
> door Might be a good idea.
>
> Just a thought
> Russ
>
>
> "kj [SBS MVP]" <> wrote in message
> news:...
>> Russ - www.SBITS.Biz wrote:
>>> First thing to do is FIRE the other IT person.
>>>
>>> Since this is SBS2008
>>> Do a Restore on System state before the other IT @#$#@ messed things
>>> up.
>>> Russ
>>
>> Probably be my first choice too, Russ.
>>
>> The other would be to get injected system startup to do something
>> like; dsmod user "CN=Admin,CN=Users,DC=microsoft,DC=com" -disabled NO
>>
>> (using the right DN for the known administrator - no SBS 08 server
>> at hand to validate a DN)
>>
>>>
>>>
>>> "Jon CC" <> wrote in message
>>> news:8D666D93-879A-489B-9497-...
>>>> Hi
>>>> In need of urgent help.
>>>> Have a friend running SBS 2008 whereby they recently changed
>>>> support and in
>>>> doing so the new Support disabled two accounts (the main Admin
>>>> account and the
>>>> Backup Admin account) thinking they were unneccesary accounts only
>>>> to then realise the two accounts were the only Administrator
>>>> accounts. Apart from two Client profile accounts these were the
>>>> only four
>>>> accounts created out of the box when the SBS was installed.
>>>> Subsequently no one can currently log onto the SBS Server as Domain
>>>> Admin as the only two accounts that had log on rights to the Server
>>>> have been disabled. I can gain access to the Server via the Local
>>>> Administrator account
>>>> in Directory Restore Mode...but thats about it.
>>>>
>>>> Is there anyway of re-enabling the Admin accounts to regain control
>>>> of the SBS server. We can gain physical access to the server and
>>>> can reboot if needed. Several people have given advice regarding
>>>> changing passwords but the same message regarding the accounts
>>>> being disabled is displayed on trying
>>>> to use the reset accounts.
>>>>
>>>> Is there any other Administrator accounts that exist on SBS that I
>>>> could use
>>>> to gain access to the Domain again?
>>
>> --
>> /kj

--
/kj

> (80% of my clients are remote)

In my case, if they're not physically remote, they're emotionally remote.

--

GaryK


"Russ - www.SBITS.Biz" <> wrote in
message news:...
> In fact now that I'm thinking about it
> I'd recommend restoring the OS Drive completely...
>
> This way it's as though, they didn't even touch the server.
>
> Put the SBS2008 DVD in the Server
> (Boot From it)
> Click on Recovery lower left)
> And restore the OS Partition...
>
> And there are MANY! "Qualified Techs that do remote support"
> I think everyone here probably supports remote clients.
> (80% of my clients are remote)
>
> Russ
>
> --
> Russell Grover - SBITS.Biz
> Microsoft Gold Certified Partner
> Microsoft Certified Small Business Specialist
> World Wide 24hr SBS Remote Support - http://www.SBITS.Biz
> Microsoft Online Services - http://www.microsoft-online-services.com/
>
>
> "kj [SBS MVP]" <> wrote in message
> news:...
>> Russ - www.SBITS.Biz wrote:
>>> I'd be worried that they not only messed up Admin Accounts
>>> But OTHER things.
>>
>> Very true, Russ. Often the sledge hammer hits more than the top of the
>> thumb tack.
>>
>> :-)
>>
>>
>>>
>>> That's why Restoring to a point "BEFORE" they even walked into the
>>> door Might be a good idea.
>>>
>>> Just a thought
>>> Russ
>>>
>>>
>>> "kj [SBS MVP]" <> wrote in message
>>> news:...
>>>> Russ - www.SBITS.Biz wrote:
>>>>> First thing to do is FIRE the other IT person.
>>>>>
>>>>> Since this is SBS2008
>>>>> Do a Restore on System state before the other IT @#$#@ messed things
>>>>> up.
>>>>> Russ
>>>>
>>>> Probably be my first choice too, Russ.
>>>>
>>>> The other would be to get injected system startup to do something
>>>> like; dsmod user "CN=Admin,CN=Users,DC=microsoft,DC=com" -disabled NO
>>>>
>>>> (using the right DN for the known administrator - no SBS 08 server
>>>> at hand to validate a DN)
>>>>
>>>>>
>>>>>
>>>>> "Jon CC" <> wrote in message
>>>>> news:8D666D93-879A-489B-9497-...
>>>>>> Hi
>>>>>> In need of urgent help.
>>>>>> Have a friend running SBS 2008 whereby they recently changed
>>>>>> support and in
>>>>>> doing so the new Support disabled two accounts (the main Admin
>>>>>> account and the
>>>>>> Backup Admin account) thinking they were unneccesary accounts only
>>>>>> to then realise the two accounts were the only Administrator
>>>>>> accounts. Apart from two Client profile accounts these were the
>>>>>> only four
>>>>>> accounts created out of the box when the SBS was installed.
>>>>>> Subsequently no one can currently log onto the SBS Server as Domain
>>>>>> Admin as the only two accounts that had log on rights to the Server
>>>>>> have been disabled. I can gain access to the Server via the Local
>>>>>> Administrator account
>>>>>> in Directory Restore Mode...but thats about it.
>>>>>>
>>>>>> Is there anyway of re-enabling the Admin accounts to regain control
>>>>>> of the SBS server. We can gain physical access to the server and
>>>>>> can reboot if needed. Several people have given advice regarding
>>>>>> changing passwords but the same message regarding the accounts
>>>>>> being disabled is displayed on trying
>>>>>> to use the reset accounts.
>>>>>>
>>>>>> Is there any other Administrator accounts that exist on SBS that I
>>>>>> could use
>>>>>> to gain access to the Domain again?
>>>>
>>>> --
>>>> /kj
>>
>> --
>> /kj
>>
>
>

Well, Russ, I came across your post and I must say that it irked me a bit.
Then I checked a few of your other "solutions" and noticed a trend:

You are very good at sounding like a pompous pr!ck but not so good at
actually helping anyone.

A system state restore? Uhh, sure. SBS is notorious for DIYers trying to,
well, do it themselves. Hell, Microsoft even markets SBS as a small business
owners solution.

I have walked into many companies where SBS was set up by the "techy" owner,
or worse, the owner's kid.

The original poster probably didn't have a system state backup.

Whatever, more power to them for giving it a shot. Most of the time it is a
weird install but nothing that will put them out of business.

Now, to answer the original post and show YOU how a real IT expert from an
enterprise environment who moved to the small business market and has over 12
years experience would do it:

The SBS server disables the administrator account during the install. An
alternate "admin" account is created during the install and has a unique
name. This admin account is subject to the lockout policies which in
previous versions of SBS the admin account could not be locked out for
invalid attempts.

So, it is true you can not directly "unlock" the admin account if you only
created 1 account and do not have a backup.

Now, where an expert diverges from your incompetence is here:

You can access the server via the local administrator account.

Step 1: download Petter's password reset tool. (We all know it and have all
used it..) http://home.eunet.no/pnordahl/ntpasswd/

Step 2: Once you've blanked out the local administrator password and gained
access to the local desktop you are 90% there.

Using SRVANY from the MS resource kit you can install ANYTHING to run as a
service. What I did was this;

Step 2a: Install SRVANY and point it to a simple batch script.
Why a script? Because on the network I was tasked with unlocking I did
not know the AD structure. My little script did a query: dsquery -name *
DC=domain,DC=local....you get the idea...and send the output to a text file.

Step 3: reboot

Step 4: reboot back into directory recover mode and review the results of
the query.

Step 5 modify the batch script with dsmod user
"CN=usernam,OU=whatever,OU=whatever2, etc..etc..etc.

Step 6 reboot and the account lock is cleared.

If you don't know the password then step 5b would have had an additional
line changing the password.

See, Russ, was it that difficult to actually answer the poster's question
with out sounding like an A$$?


"Russ - www.SBITS.Biz" wrote:

> First thing to do is FIRE the other IT person.
>
> Since this is SBS2008
> Do a Restore on System state before the other IT @#$#@ messed things up.
>
> Russ
>
> --
> Russell Grover - SBITS.Biz
> Microsoft Gold Certified Partner
> Microsoft Certified Small Business Specialist
> World Wide 24hr SBS Remote Support - http://www.SBITS.Biz
> Microsoft Online Services - http://www.microsoft-online-services.com/

Actually Russ's advice here was spot on.

The whole problem was caused because an IT person unfamiliar with Windows
Server (this isn't SBS specific if you read the problem the poster
described) was obviously meddling with accounts. This is clearly and
accurately described by the poster as some 3rd party who has proven
themselves untrustworthy.

Following your procedure does *not* undo any damage the 3rd party may have
caused, and it can be presumed (not assumed, but inferred based on data
given) that the 3rd party was indeed changing portions of the Active
Directory structure that they were unfamiliar with.

In such a scenario, the best course of action is, BY FAR AND AWAY, to
restore a known good backup of the system state at the very least...and as a
later post indicated, the system volume is even better.

--

Now, to briefly address the "rest" of your response.

Is it possible that the OP doesn't have a system state backup? Sure. But
backups are an ESSENTIAL business practice. You say that a funky setup
(weird install was your choice of words) is nothing that would put a company
out of business. But losing a server with their financial records, likely
legal records (email retention in the SOX era) and other records very well
could. So you use this fictional scenario to denigrate a regular
contributor.

There are two things wrong with this:

1) If the OP doesn't have a backup, the OP can reply and say so. Then we,
as a group, may make similar recommendations as you did. But right now it
is unnecessary, less thorough, and would *likely* leave other things broken
for reasons I described above. In other words, do the "right" thing first
and then fall back to the "oh s!$@t I don't have backups" solution only if
the RIGHT thing fails. you jumped straight to #2 without waiting to hear
from the OP.

2) You then proceeded to attack a perfectly legitimate post (yes, any IT
person who disables accounts when they are unaware of their intended purpose
in a PRODUCTION SERVER should be fired!) and used some non-logic to justify
it. I don't necessarily agree with Russ sometimes, but he contributes,
the question *was* answered, and some good advice was given along the way.
You may think the advice was pompous, but it wasn't completely unwarranted.
Your attack, however, was.

As an aside, it was clear that the OP did not make the mistake resulting in
the question being posted. The 3rd party IT person did. Russ was not
insulting the OP in any way. A straight answer to a straight question.
Move along, nothing to see here.

--

'Nuf said. I'm done beating that horse.

-Cliff


"Inverse137" <> wrote in message
news:90177147-7C8F-4A98-AA36-...
> Well, Russ, I came across your post and I must say that it irked me a bit.
> Then I checked a few of your other "solutions" and noticed a trend:
>
> You are very good at sounding like a pompous pr!ck but not so good at
> actually helping anyone.
>
> A system state restore? Uhh, sure. SBS is notorious for DIYers trying
> to,
> well, do it themselves. Hell, Microsoft even markets SBS as a small
> business
> owners solution.
>
> I have walked into many companies where SBS was set up by the "techy"
> owner,
> or worse, the owner's kid.
>
> The original poster probably didn't have a system state backup.
>
> Whatever, more power to them for giving it a shot. Most of the time it is
> a
> weird install but nothing that will put them out of business.
>
> Now, to answer the original post and show YOU how a real IT expert from an
> enterprise environment who moved to the small business market and has over
> 12
> years experience would do it:
>
> The SBS server disables the administrator account during the install. An
> alternate "admin" account is created during the install and has a unique
> name. This admin account is subject to the lockout policies which in
> previous versions of SBS the admin account could not be locked out for
> invalid attempts.
>
> So, it is true you can not directly "unlock" the admin account if you only
> created 1 account and do not have a backup.
>
> Now, where an expert diverges from your incompetence is here:
>
> You can access the server via the local administrator account.
>
> Step 1: download Petter's password reset tool. (We all know it and have
> all
> used it..) http://home.eunet.no/pnordahl/ntpasswd/
>
> Step 2: Once you've blanked out the local administrator password and
> gained
> access to the local desktop you are 90% there.
>
> Using SRVANY from the MS resource kit you can install ANYTHING to run as a
> service. What I did was this;
>
> Step 2a: Install SRVANY and point it to a simple batch script.
> Why a script? Because on the network I was tasked with unlocking I did
> not know the AD structure. My little script did a query: dsquery -name *
> DC=domain,DC=local....you get the idea...and send the output to a text
> file.
>
> Step 3: reboot
>
> Step 4: reboot back into directory recover mode and review the results of
> the query.
>
> Step 5 modify the batch script with dsmod user
> "CN=usernam,OU=whatever,OU=whatever2, etc..etc..etc.
>
> Step 6 reboot and the account lock is cleared.
>
> If you don't know the password then step 5b would have had an additional
> line changing the password.
>
> See, Russ, was it that difficult to actually answer the poster's question
> with out sounding like an A$$?
>
>
> "Russ - www.SBITS.Biz" wrote:
>
>> First thing to do is FIRE the other IT person.
>>
>> Since this is SBS2008
>> Do a Restore on System state before the other IT @#$#@ messed things up.
>>
>> Russ
>>
>> --
>> Russell Grover - SBITS.Biz
>> Microsoft Gold Certified Partner
>> Microsoft Certified Small Business Specialist
>> World Wide 24hr SBS Remote Support - http://www.SBITS.Biz
>> Microsoft Online Services - http://www.microsoft-online-services.com/
>

Nice try russ, what you don't understand is that two things are important here
1) my time
2) the clients money

I am sick and tired of researching problems to constantly be sidetracked by
inept ir superfluous posts.

I actually found one solution that suggested creating a new account and
granting it admin rights...gee, really? I can't access the server at the
console but I should create a new account with admin rights? brilliant!!

And your solution..restore from backup. Do you really think someone would
post on a forum if they had a backup?

I can't stand doing research on a problem only to come across someone who is
posting merely because they like seeing there own words.

Restore from backup? Gee, really? Brilliant!!

My step 2 leaves out that you shhould boot into Directory Recovery Mode

My step 5 leaves off -disabled no at the end of the dsmod statement.

Do not forget who SBS is geared for and HOW SBS is marketed. I've walked
into many weird SBS networks: Entire thing installed under a single
partition, no disk redundancy, etc. While I could have told every single
client that there network should be scrapped and started over I tend to
follow a few rules : give them redundancy, give them a good backup and give
it all to them cost effectively.

If that model fits all of the books I've read...great. If I have to deviate
from the book...well, you get the idea. The goal is to give your client a
stable network at a good price. If you are called into an existing network
to fix a problem then you fix it in a cost effective manner.



....and regarding your IMO statement...you know what they say about
opionions, don't you?


"Russ - www.SBITS.Biz" wrote:

> I'm sorry if you do not understand this process.
>
> May I suggest that you may purchase one or more of these books
>
> Windows Small Business Server 2008 Unleashed
> http://www.amazon.com/Windows-Small-...7269967&sr=8-1
> And OR
> Windows® Small Business Server 2008 Administrator's Companion
> http://www.amazon.com/Windows%C2%AE-...1297332&sr=1-3
>
> It will help explain more about the features of SBS and what you can do with
> it.
>
> Slamming me because you don't understand something
> Is however regrettable and IMO not necessary.
>
> However I don't believe this newgroup is a place for this
> If you wish to insult me please email me at russ AT sbits.biz
>
> Thank you.
> Russ
>
>
>
tem state restore? Uhh, sure. SBS is notorious for DIYers trying
> > to,
> > well, do it themselves. Hell, Microsoft even markets SBS as a small
> > business
> > owners solution.
> >
> > I have walked into many companies where SBS was set up by the "techy"
> > owner,
> > or worse, the owner's kid.
> >
> > The original poster probably didn't have a system state backup.
> >
> > Whatever, more power to them for giving it a shot. Most of the time it is
> > a
> > weird install but nothing that will put them out of business.
> >
> > Now, to answer the original post and show YOU how a real IT expert from an
> > enterprise environment who moved to the small business market and has over
> > 12
> > years experience would do it:
> >
> > The SBS server disables the administrator account during the install. An
> > alternate "admin" account is created during the install and has a unique
> > name. This admin account is subject to the lockout policies which in
> > previous versions of SBS the admin account could not be locked out for
> > invalid attempts.
> >
> > So, it is true you can not directly "unlock" the admin account if you only
> > created 1 account and do not have a backup.
> >
> > Now, where an expert diverges from your incompetence is here:
> >
> > You can access the server via the local administrator account.
> >
> > Step 1: download Petter's password reset tool. (We all know it and have
> > all
> > used it..) http://home.eunet.no/pnordahl/ntpasswd/
> >
> > Step 2: Once you've blanked out the local administrator password and
> > gained
> > access to the local desktop you are 90% there.
> >
> > Using SRVANY from the MS resource kit you can install ANYTHING to run as a
> > service. What I did was this;
> >
> > Step 2a: Install SRVANY and point it to a simple batch script.
> > Why a script? Because on the network I was tasked with unlocking I did
> > not know the AD structure. My little script did a query: dsquery -name *
> > DC=domain,DC=local....you get the idea...and send the output to a text
> > file.
> >
> > Step 3: reboot
> >
> > Step 4: reboot back into directory recover mode and review the results of
> > the query.
> >
> > Step 5 modify the batch script with dsmod user
> > "CN=usernam,OU=whatever,OU=whatever2, etc..etc..etc.
> >
> > Step 6 reboot and the account lock is cleared.
> >
> > If you don't know the password then step 5b would have had an additional
> > line changing the password.
> >
> > See, Russ, was it that difficult to actually answer the poster's question
> > with out sounding like an A$$?
> >
> >
> > "Russ - www.SBITS.Biz" wrote:
> >
> >> First thing to do is FIRE the other IT person.
> >>
> >> Since this is SBS2008
> >> Do a Restore on System state before the other IT @#$#@ messed things up.
> >>
> >> Russ
> >>
> >> --
> >> Russell Grover - SBITS.Biz
> >> Microsoft Gold Certified Partner
> >> Microsoft Certified Small Business Specialist
> >> World Wide 24hr SBS Remote Support - http://www.SBITS.Biz
> >> Microsoft Online Services - http://www.microsoft-online-services.com/
> >
>
>
>