Home » Computers » Enterprise Computing » Unlocking Windows NT/2000/2003 Domain Controllers

Unlocking Windows NT/2000/2003 Domain Controllers

Petter Nordahl-Hagen has written a Windows NT/2000 offline password editor. I have been using various versions of this disk for several years and have had very good results with it. Thank you, Petter!

However, the program only resets the password for the MACHINE Administrator account, not the DOMAIN Administrator account. And wouldn’t you know it, on a Windows 2000 server which is an Active Directory controller, you CANNOT log into any machine-level account. Which means that resetting the MACHINE Administrator password is pretty much useless.

Or so it would seem. It turns out that “Directory Service Recovery Mode” uses the MACHINE-level accounts, since the whole point of this mode is that the AD control databases may be corrupted and you need a way to manually edit them (presumably using some high-priced third-party software package…)

I was able to reset the password on the DOMAIN Administrator account using the following procedure:

Again: If you are trying to fix a server, please READ THIS ENTIRE PAGE and MAKE SURE YOU UNDERSTAND IT before touching the server.

NOTE: If you are following these directions to try and “break into” a corporate domain which has one or more working Active Directory controllers, but YOU don’t have Administrator access to the domain, you’re wasting your time. The procedure detailed below will only work if you have physical access to a domain controller. It will also forcibly reset the AD Administrator password, which means that if you are somehow able to do this to a domain controller, the existing Administrator password will no longer work and the rightful administrators will know something is going on… and if they trace it back to you and fire you, or even better put you in jail, then you have gotten what you deserve.

  • Use Petter’s disk to reset the MACHINE Administrator password to “no password”.

NOTE: If you are following these directions to work on a machine which is not a domain controller, STOP RIGHT HERE. You now have access to the machine by rebooting and logging in as the machine’s Administrator account (with no password.) Everything below this message is specific to domain controllers.

NOTE: If you are following these directions to work on a machine which is running Windows XP, STOP RIGHT HERE. The machine IS NOT A DOMAIN CONTROLLER. Go back and re-read the note right above this one.

NOTE: If you are following these directions to work on a machine which is running Windows 2003, STOP RIGHT HERE and follow these directions instead.

  • Reboot, hit F8, and enter “Directory Service Recovery Mode”. The machine will boot up as a standalone server without any Active Directory support.
  • When the login screen appears, hit CTRL-ALT-DEL and log in as “Administrator” with no password. This is the MACHINE Administrator account, and does not have the ability to modify anything specific involving the Active Directory information, although it can backup and restore the physical files which contain the AD databases.
  • Run “regedit”. Navigate to HKEY_USERS\.Default\Control Panel\Desktop and change the following values:
    Value Original Change to
    SCRNSAVE.EXE logon.scr cmd.exe
    ScreenSaveTimeout 900 15
    ScreenSaveActive May be 0 or 1 1

 

  • Reboot normally. When the box appears asking you to hit CTRL-ALT-DEL to log in, just wait. After 15-30 seconds you will see a command prompt appear (since that is the screensaver.)
  • I have received an email from somebody which simplifies the process… I can’t verify this myself (because I don’t use Windows) but the method makes sense. Apparently, once you get the command prompt you can type this one command to reset the password:

    C:\WINNT\system32> NET USER ADMINISTRATOR newpassword

    Once you enter this command, you should be able to exit from the command prompt, hit CTRL-ALT-DELETE, and log into the domain Administrator account using the new password. Again, without a Windows server I have no way to verify that this does or does not work, so I would appreciate any feedback from people who have tried this and can tell me that it does or does not work with their particular version of Windows.

  • In the command prompt, type the following command:

    C:\WINNT\system32> MMC DSA.MSC

    This should bring up the management console where you can edit users’ passwords, including the password for the Administrator account. If you type this command and it doesn’t work, wait 30 seconds and try it again. This happened to me, it sounded like it was still in the process of loading drivers into memory in the background…

    If this doesn’t work after waiting the 30 seconds… realize that THIS IS A COMMAND PROMPT WITH FULL DOMAIN ADMINISTRATOR RIGHTS, and you’re running a command (“MMC.EXE”) with another filename (“DSA.MSC”) as an argument. If it “just plain doesn’t work”, maybe you need to locate these two files and type them in as full path names. Maybe something like “C:\WINNT\SYSTEM32\MMC.EXE C:\WINNT\SYSTEM32\DSA.MSC”.

    If you know absolutely nothing about how to use a command line, then reboot into DSR Mode, log in as Administrator, and use the graphical “Find Files” thingy to find the files, and write down their locations. Then try it again (reboot and wait for the command line, etc.)