Lost admin password of Windows 2003 Server DC

Hi,

A client called me to restore access to their Windows 2003 Server acting as
a DC whose Administrators' passwords have been lost. Nobody can now log into
the server. I understand that resetting the local Administrator password on
non-Active Directory Win 2003 machines is pretty easy. There are lots of
utilities that you can download and run from a bootable CD and clear out the
passwords. I also understand that the mechanism that Windows 2003 Server
employs for storing usernames and passwords is different for Domain
Controller machines and WORK_GROUP ones, such that running any
password-resetting utility from a bootable CD is not enough for the former
case.
So my question is: How do I regain access to the Win 2003 Server machine
when neither the password of the local Administrator account nor the
"Directory Services Restore Mode Administrator Password" (asked by the
Active Directory Installation Wizard during the configuration of the DC) are
known? I followed the instructions on the site
http://www.nobodix.org/seb/win2003_adminpass.html to no avail. The
instructions detailed in that document fail because the log on window
doesn't recognize the LOCAL admin password, which I previously cleared out
from a bootable CD. The fact is that when you boot into Directory Restore
Service Mode (by pressing F8 at boot time) the requested password is the
"Directory Services Restore Mode Administrator Password", not the password
of the LOCAL Administrator account. I can confirm it because I tested it on
a non-production machine.
To put it simple: Is there a way or utility to override the security
policies, if any, and reset/delete all the administrative passwords?

Thank you in advance.
Fernando

How can somebody lose the Admin password? That is an account that gets used
all the time,...daily,...whoever has been using it should know it.

Look for other accounts on the machine (maybe even service accounts?) that
may have administrator access (member of Administrators Group or Domain
Admins Group),...then log in with one of those and reset the Administrator
Account Password.

Maybe others will have suggestions,...but apart of what I said, I think you
are just flat screwed.

Loosing Admin credentials,...how can anyone actually do that?


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Fernando Ronci" <> wrote in message
news:...
> Hi,
>
> A client called me to restore access to their Windows 2003 Server acting
> as a DC whose Administrators' passwords have been lost. Nobody can now log
> into the server. I understand that resetting the local Administrator
> password on non-Active Directory Win 2003 machines is pretty easy. There
> are lots of utilities that you can download and run from a bootable CD and
> clear out the passwords. I also understand that the mechanism that Windows
> 2003 Server employs for storing usernames and passwords is different for
> Domain Controller machines and WORK_GROUP ones, such that running any
> password-resetting utility from a bootable CD is not enough for the former
> case.
> So my question is: How do I regain access to the Win 2003 Server machine
> when neither the password of the local Administrator account nor the
> "Directory Services Restore Mode Administrator Password" (asked by the
> Active Directory Installation Wizard during the configuration of the DC)
> are known? I followed the instructions on the site
> http://www.nobodix.org/seb/win2003_adminpass.html to no avail. The
> instructions detailed in that document fail because the log on window
> doesn't recognize the LOCAL admin password, which I previously cleared out
> from a bootable CD. The fact is that when you boot into Directory Restore
> Service Mode (by pressing F8 at boot time) the requested password is the
> "Directory Services Restore Mode Administrator Password", not the password
> of the LOCAL Administrator account. I can confirm it because I tested it
> on a non-production machine.
> To put it simple: Is there a way or utility to override the security
> policies, if any, and reset/delete all the administrative passwords?
>
> Thank you in advance.
> Fernando
>
>

Thanks for your reply.
I'll check with the client which other accounts with admin access are
available.

Fernando


"Phillip Windell" <> wrote in message
news:...
> How can somebody lose the Admin password? That is an account that gets
> used all the time,...daily,...whoever has been using it should know it.
>
> Look for other accounts on the machine (maybe even service accounts?) that
> may have administrator access (member of Administrators Group or Domain
> Admins Group),...then log in with one of those and reset the Administrator
> Account Password.
>
> Maybe others will have suggestions,...but apart of what I said, I think
> you are just flat screwed.
>
> Loosing Admin credentials,...how can anyone actually do that?
>
>
> --
> Phillip Windell
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------

Howdie!

On 21.04.2010 04:31, Fernando Ronci wrote:
> Thanks for your reply.
> I'll check with the client which other accounts with admin access are
> available.

Is it the DSRM Admin you have lost or is that the Builtin\Administrator
account?

cheers,
Florian

Both passwords are lost.

Thanks,
Fernando

"Florian Frommherz [MVP]" <> wrote in
message news:uMl$...
> Is it the DSRM Admin you have lost or is that the Builtin\Administrator
> account?
>
> cheers,
> Florian

If you have no DSRM password or password for any Domain Admin or Enterprise
Admin account there is nothing you can do as far as I'm aware, and I would
certainly hope not too.

For your information there is no 'local' administrator account on DCs as
they have no local SAM only the AD database and security. The
builtin\administrator account on a DC is for the entire domain. Yes the DSRM
password is different to the Administrator password because the AD database
is not available when booting into DSRM.

Best regards
Joe Dunn
MBCS, MCSE, MCTS, CCNA







"Fernando Ronci" wrote:

> Both passwords are lost.
>
> Thanks,
> Fernando
>
> "Florian Frommherz [MVP]" <> wrote in
> message news:uMl$...
> > Is it the DSRM Admin you have lost or is that the Builtin\Administrator
> > account?
> >
> > cheers,
> > Florian
>
>
> .
>

Howdie!

On 21.04.2010 14:56, Joe Dunn wrote:
> If you have no DSRM password or password for any Domain Admin or Enterprise
> Admin account there is nothing you can do as far as I'm aware, and I would
> certainly hope not too.

Well, there are ways -- the DSRM-Admin's password is stored in the local
SAM of any DC. That is why you have to provide a DSRM admin password for
every new DC you dcpromo up. It isn't synced/replicated.

Cheers,
Florian

Thanks !

Yes, I knew that Win 2003 handles very differently usernames and passwords
in Workgroup and DC installations.

Fernando

"Joe Dunn" <> wrote in message
news:1BCC8634-49C8-4D75-8DB4-...
>
> If you have no DSRM password or password for any Domain Admin or
> Enterprise
> Admin account there is nothing you can do as far as I'm aware, and I would
> certainly hope not too.
>
> For your information there is no 'local' administrator account on DCs as
> they have no local SAM only the AD database and security. The
> builtin\administrator account on a DC is for the entire domain. Yes the
> DSRM
> password is different to the Administrator password because the AD
> database
> is not available when booting into DSRM.
>
> Best regards
> Joe Dunn
> MBCS, MCSE, MCTS, CCNA
>

Well if you ever get through this,... create at least one other additional
account that is a member of the Domain Admins Group. This will serve as a
stand-by account in case something gets fouled up with the normal admin
account.

*Keep records* of the Administrator Passwords,...multiple copies,...stored
in different "safe" places.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Fernando Ronci" <> wrote in message
news:...
> Thanks !
>
> Yes, I knew that Win 2003 handles very differently usernames and passwords
> in Workgroup and DC installations.
>
> Fernando
>
> "Joe Dunn" <> wrote in message
> news:1BCC8634-49C8-4D75-8DB4-...
>>
>> If you have no DSRM password or password for any Domain Admin or
>> Enterprise
>> Admin account there is nothing you can do as far as I'm aware, and I
>> would
>> certainly hope not too.
>>
>> For your information there is no 'local' administrator account on DCs as
>> they have no local SAM only the AD database and security. The
>> builtin\administrator account on a DC is for the entire domain. Yes the
>> DSRM
>> password is different to the Administrator password because the AD
>> database
>> is not available when booting into DSRM.
>>
>> Best regards
>> Joe Dunn
>> MBCS, MCSE, MCTS, CCNA
>>
>
>

Thanks Phillip,

I believe the client gave up. The last time I checked they were considering
re-installing the Operating System and starting over.

Fernando

"Phillip Windell" <> wrote in message
news:ujT$...
> Well if you ever get through this,... create at least one other additional
> account that is a member of the Domain Admins Group. This will serve as a
> stand-by account in case something gets fouled up with the normal admin
> account.
>
> *Keep records* of the Administrator Passwords,...multiple copies,...stored
> in different "safe" places.
>
>
> --
> Phillip Windell
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>