Methods for Recovering Administrator Accounts

[Will]

I'm trying to bring together information about how to recover an
administrator login to a member server and to a domain controller, for
Windows 2000 and Windows 2003 / XP. I see at least three problem
conditions I want to understand if there is a way to recover from:

1) Built-In Administrator Account Password Forgotten

This can be fixed by booting the Windows installation CD and using a special
device driver that is written by Mirider http://www.mirider.com named NT
Access.

Sunbelt Software sells it for $70

http://www.sunbelt-software.com/NTAccess.cfm

Plan on spending a few days though to build a bootable CD that uses it.

2) Administrator in Deny Login Locally Privilege

What if the Built In Administrator account has been placed into the Deny
Login Locally group. This prevents you from logging in for that account
even when you know the password!!

For this case you would need the NTRIGHTS program that comes with the NT
Resource Toolkit. However you would need to find a way to run this in the
SYSTEM context since the local admin is locked out.

Anyone have ideas on how to do that?

3) Administrator Account Permanently Disabled

Microsoft recommends disabling the built-in Administrator account on a
Windows 2003 DC, so finding a way to recover from that state is what I want.
This assumes some emergency that makes the Domain Admins in AD not
available.

I imagine 2) and 3) above could be solved by a program similar to the one I
describe for 1) above. Probably hackers have such tools, but I don't want
to be downloading questionable software written by hackers. Is there a
commercial solution?

Are there other lockout situations I should be aware of?

 

[Roger Abell [MVP]]

Built-in Administrator account, if disabled, is able to log into
a safe mode boot (provided its name and password are known)
If we speak of unknown passwords for non-AD (i.e. machine
local) Administrator account, the most common password
(re)setter is possibly ntpasswd
home.eunet.no/pnordahl/ntpasswd/bootdisk.html
or the one from Petri
(just Google on such as Lost Windows Administrator password)
If it is a domain's built-in, use another account that has the ability
to set passwords to reset it to known value.
If the local policy denies login, and network access is available,
one can use a mapped drive to set NTFS permissions on the two
critical directories for group policy application so that there is
a Deny full for the admin or Administrators.
If the issue is with AD-based GPO, use another account that has
been delegated edit on the GPOs to correct the issue or link in
a temp higher priority GPO to override the troublesome setting.

With W2k3 server the built-in can be made unable to login via
network or terminal services but still be of use at console. Some
shops even use the setting combo of a blank password and the
policy that with blank pwd only console local login is allowed
(think techs in large server farm).

You could cause NTrights utility to run as system in a domain
environment by making the utility available via share and initiating
it with a startup script. If the machine is not accessible and is also
not behaving in healthy maner relative to GPO application you may
be toasted.

For each response provided there are other alternatives.

I am not sure if that covered all of your cases, member vs DC, and
it certainly does not cover the case of all domain accounts that are
able to reset password having unknown username/password pairs.

Other situations, you ask.
Yes, but the one that is top of the head this morning is that here, as
in many prior posts you focus on the login Deny policy setting.
These are also the mostly parallel cases of failure to grant.
There are issues with GC non-availability making domain accounts
non-usable when login caching is shut off (or even problems with
locator records or access to them in DNS).
Although not a login denial, one all too commonly seen problem is
when novice DAs use GPO settings to restrict the use of MMC tools
for Everyone (or some group that includes DAs) which disables their
ability to reedit the GPO to remove the mistake.

 

[Roger Abell [MVP]]

Are there other lockout situations I should be aware of?

http://support.microsoft.com/kb/315457/en-us