Administrator gets locked out

[Ed Gregory]

I have a Win2000 Pro machine that is allowing the administrator account to
be locked out. I thought that with Win2000, XP, 2003 the administrator
account couldn't be locked out. This comes from MS tech articles. The
user, I guess typed the password incorrect too many times and now we are
unable to login with the administrator account. There are only two accounts
on the system. Administrator and Guest.

How do I unlock or enable the administrator account? I don't mean I do I
recover a password, but how do I disable the account locked out flag that
must be set in the user?

Thanks.

 

[Herb Martin]

I have a Win2000 Pro machine that is allowing the administrator account to
be locked out. I thought that with Win2000, XP, 2003 the administrator
account couldn't be locked out. This comes from MS tech articles. The
user, I guess typed the password incorrect too many times and now we are
unable to login with the administrator account. There are only two accounts
on the system. Administrator and Guest.

Well, most of us think that it cannot be locked.

Is it possible something CHANGED the password?

How do I unlock or enable the administrator account? I don't mean I do I
recover a password, but how do I disable the account locked out flag that
must be set in the user?

You are basically stuck with trying to hack your own
SAM.

Googling the obvious (or someone will post a link)
will get you help on cracking your own SAM...

Something like (untested): [ "lost password" microsoft: ]

That last term "microsoft:" (with colon) is a Google keyword
for their special web-wide "Microsoft collection".

 

[somebody]

My understanding is that the built-in administrator account cannot be
locked out at the console, but can be made to follow lockout policies
for logon attempts over the network. Is this account in fact locked
out at the console?

What's the status of the guest account? It used to be recommended to
rename the administrator account for increase security (very little
benefit).

What's the access to the machine? Could the admin account have been
renamed to something different and a decoy non-admin account given the
name of administrator. In fact, can the guest account be renamed to
administrator (and administrator to guest). Check the status of the
guest account.

The SIDs will tell which is which.

Roger

 

[Herb Martin]

My understanding is that the built-in administrator account cannot be
locked out at the console, but can be made to follow lockout policies
for logon attempts over the network. Is this account in fact locked
out at the console?

Perhaps he meant network.

It makes no sense (even) to allow lockout from the
console since this could be a denial of service attack
against the admin with no supported way to reset it.

 

[Roger Abell]

My understanding agrees with what you two have expressed.
I have however seen before a couple times systems (granted,
all XP) where the built-in had indeed become locked out (not
disabled) and best we could tell it had been by some malware.

 

[Bob McCoy [MSFT]]

You might want to take a look at ...
http://www.jsiinc.com/SUBE/tip2000/rh2077.htm -or -
http://www.windowsnetworking.com/kb...dminTips/Security/Enforcestrongpasswords.html

--
Bob McCoy
* This posting is provided "AS IS" with no warranties, and confers no
rights.
* Please note I cannot respond to email questions. Please use these
newsgroups.

 

[Steven L Umbach]

Scary?? Did you have to reinstall assuming a non domain computer?? ---
Steve

 

[Roger Abell]

They pretty much accepted the advice that
a compromised system is a compromised system
perhaps always will be --> format + build
Those systems did not come up clean to industry
anti-malware scans.

 

[Steven L Umbach]

OK. I was not sure if malware had been detected or if it was assumed. That
free password reset disk that is common on the internet will enumerate the
user accounts on a computer and show if an account is locked out/disabled. A
renamed built in administrator account will show as the new name but the ID
01F4 by a user name will indicate the built in administrator account which
may help someone if they are unsure which account is the built in
administrator account. I have found that going to the \winnt\repair folder
and copying the sam and security file to \winnt\system32\config folder
[after backing up/renaming the old] while not running in the operating
system that you are copying the sam/security file to can return the sam to
the state of an account not being locked out. Of course if the System State
has never been backed up that sam will only contain the built in
administrator account [with original password] and the guest account but it
could possibly be a way to "unlock" the administrator account, though I
certainly am not suggesting that is a better solution than rebuilding a
compromised computer. --- Steve

 

[Roger Abell]

Right on, on the use of the reg copies in Repair dir,
as the copy into active use is precisely part of a ERD
repair, or OS CD boot to repair, and does reset box
to point of last System State bkup.
I have to assume that the binaries are coded to protect
against the built-in from having its bits set to disabled,
but the bits are there and if set are obeyed by the other
binaries (IOW, the binary protect against setting rather
than against enforcement) - - - just speculation.

--
Roger

OK. I was not sure if malware had been detected or if it was assumed. That
free password reset disk that is common on the internet will enumerate the
user accounts on a computer and show if an account is locked out/disabled. A
renamed built in administrator account will show as the new name but the ID
01F4 by a user name will indicate the built in administrator account which
may help someone if they are unsure which account is the built in
administrator account. I have found that going to the \winnt\repair folder
and copying the sam and security file to \winnt\system32\config folder
[after backing up/renaming the old] while not running in the operating
system that you are copying the sam/security file to can return the sam to
the state of an account not being locked out. Of course if the System State
has never been backed up that sam will only contain the built in
administrator account [with original password] and the guest account but it
could possibly be a way to "unlock" the administrator account, though I
certainly am not suggesting that is a better solution than rebuilding a
compromised computer. --- Steve

 

[rgritter]

Best solution: Get an "ERD Commander" CD and boot from it.

ERD Commander will boot and set up a untility partition apart from
Windows, but will allow you to reset an Admin password (or any user
password).

It is a great program to have available for these 'emergencies'.


RGR