recover domain user password without the domain.

Discussion in 'Server Setup' started by Don, Feb 26, 2010.

  1. Don

    Don Guest

    Hello, I have a client that has a company laptop, and he has forgotten
    his password. Now the laptop was part of an old business with a domain
    that no longer exists. What can I do to recover the password. I have
    access to the local admin account, but not the domain admin account on
    the laptop.

    Domain was with a sbs 2003 machine.
     
    Don, Feb 26, 2010
    #1
    1. Advertisements

  2. You cannot recover domain password without a domain controller.

    If you have access to the local admin account, you can unjoin computer from
    the domain. Then create a local user account and let the owner use this new
    local account.
     
    Dusko Savatovic, Feb 26, 2010
    #2
    1. Advertisements

  3. Offline NT Password & Registry Editor:
    http://pogostick.net/~pnh/ntpasswd/main.html
     
    Susan Bradley, Feb 26, 2010
    #3
  4. Or the duh answer I didn't even think of until this morning. Go to the
    DC, reset the password for his account. Problem solved.
     
    Susan Bradley, Feb 26, 2010
    #4
  5. Don

    Jim Guest


    Not really a duh answer Susan. The OP says it's a domain that no
    longer exists, so he's using cached credentials for an old domain.

    I'm not sure there's a solution, since all the standard password
    recovery tools work on a local account.
     
    Jim, Feb 26, 2010
    #5
  6. Is there any data on that account that is domain-specific?

    I am thinking perhaps the Exchange profile is a dealbreaker?

    If not, just create a new local profile and copy his old profile data
    into the new local profile.
    --
    Leonid S. Knyshov
    Crashproof Solutions
    510-282-1008
    Twitter: @wiseleo
    http://crashproofsolutions.com
    Microsoft Small Business Specialist
    Please vote "helpful" if I helped you :)
     
    Leonid S. Knyshov // SBS Expert, Feb 26, 2010
    #6
  7. Don

    Don Guest

    There is the exchange profile it is really important. If it has to be
    lost oh well. But I can move his data, however there are programs tied
    to the profile. I created a local profile and most of the programs will
    not work.
     
    Don, Feb 26, 2010
    #7
  8. Yep, that's what I figured.

    There are some workarounds we can try, such as change the registry
    location for the local profile to match the domain profile, for example.
    Please make a disk image of this laptop before you do anything as many
    changes will be hard to reverse if things go wrong.
    --
    Leonid S. Knyshov
    Crashproof Solutions
    510-282-1008
    Twitter: @wiseleo
    http://crashproofsolutions.com
    Microsoft Small Business Specialist
    Please vote "helpful" if I helped you :)
     
    Leonid S. Knyshov // SBS Expert, Feb 26, 2010
    #8
  9. Double duh. Geek = didn't fully read.

    The domain profile can be copied to the local one. If he has access to
    the local one, copy the profile.
     
    Susan Bradley, Feb 26, 2010
    #9
  10. There is an exchange profile on a domain account for a domain that doesn't
    exist anymore, but the exchange profile is still important??

    ....curious...

    Without the domain, I'm with Susan. I think you'll have to copy the profile
    to a new account and deal with some itmes that don't move.

    -Cliff
     
    Cliff Galiher - MVP, Feb 26, 2010
    #10
  11. Don

    Jim Guest


    Did you make the user a local admin? That might explain why some
    programs don't work.
     
    Jim, Feb 26, 2010
    #11
  12. Don

    Don Guest

    the user is the local admin account. There is another account the user
    used when the domain went down at work, but it has not been used for
    over a year.
     
    Don, Feb 27, 2010
    #12
  13. Don

    jj jammer Guest

    This isn't really a windows security question but more of a hacking
    question. Depending on the client what you need to understand is that the
    cached password is stored in the following location

    HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 through NL$10 as a hash.

    You will need a tool like cachedump (google it) to retrieve the hashes then
    you can use a tool like "Johntheripper" again goggle it to crack the hash.

    Hopefully this helps.
     
    jj jammer, Feb 28, 2010
    #13
  14. I never really considered that an option since this is (presumably) not a
    stolen device. It is a laptop that the owner still possesses and will want
    access to. Hacking hashes is a time-intensive project for *weak* passwords,
    and nearly impossible if password strength was required as is usual in a
    domain (this was joined to SBS03 after all.)

    I also tend not to share such methods as, if someone *is* posting under
    false pretenses, the last thing I want to do is encourage illegal behavior.
    Either way, just not good...

    -Cliff
     
    Cliff Galiher - MVP, Feb 28, 2010
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.