Dealing with: Your entire 2003/2008 AD domain being locked out!
So you have tried your normal account (it’s locked out) you have found the admin password from wherever you keep it (it’s locked out) and you are now wondering whether to go to a backup of your domain controller.
I have been through these thought processes and, from experience, have successfully used the following method to regain access. The method below has been researched from various sites on the internet and can be adapted as required. I’ll attempt to explain why the steps involved are used as we go through for clarity.
General premise
The idea here is to run a process (service) when the domain controller reboots that sets the admin password to be something you know and unlocks the account. To do that we need to have that process start on the domain controller and run as a privileged user.
Initial steps
You first need to be able to reboot your domain controller and have console access to it. This is easy if it’s a physical box (although lugging that screen and keyboard around a server room is a pain!) but not so easy if it’s a virtual machine.
If you are running a VMware virtual setup then you will need to edit the settings of the domain controller Virtual Machine and do the following:
Edit Settings -> Options Tab -> Boot Options -> Power On Boot Delay - change this to 5000msLocal admin Password
You need the local admin password for the machine. This is NOT the domain administrator password as that is a different thing. The local admin password would have been setup with the machine and hopefully is also stored somewhere you can find it. You need this to login locally to the machine in safe mode.
Microsoft Tools SRVANY and INSTSRV
These are tools (executables) provided by Microsoft in their NT resource kit which are going to be used to create a user defined service. That service will be the thing that resets the administrator password in the domain so we need these. You can download them from the internet although I have not found originals to host but will look for the future…
You will also, if using VMware, need to create an ISO with these on and put it somewhere that you can mount it within the VM. If it’s physical then you could use a USB drive or you can create a CD with these two things on them and. Many ways to do this but worth doing in advance.
The process
Firstly we need to boot this domain controller into safe mode which we can do by hitting F8 as it boots and choosing (from rather a long menu) “Directory Services Restore Mode”.
At this point you will need to login to the machine as the LOCAL administrator (not domain) which should give you desktop access. You can’t make any changes to active directory, as you didn’t login as domain admin, but you can access the environment.
Now we need to create a service to run our custom command.
Create a directory C:\Unlock - the choice of folder is arbitrary but I would imagine you don’t have an unlock directory yet!!
In that directory you need to copy INSTSRV.EXE and SRVANY.EXE from the CD/ISO/USB that you created earlier. You also need to copy cmd.exe from the system32 directory (usually C:\Windows\system32) as this will make your scripting easier. You don’t HAVE to move the cmd.exe but it makes later stages easier so I would.
Now we need to create the service itself to run our command, we do this by opening a dos prompt, navigating to our directory and typing the following:
INSTSRV ResetPassword "C:\\Unlock\\SRVANY.EXE"This will use the INSTSRV executable to create a service called “ResetPassword” that points to SRVANY.EXE in your directory. This trick here, of course, is that the service will start with whatever permissions you give it including a privileged account! That’s the bit that actually “breaks in” to the system; the ability for this service to run as a privileged account.
To set the permissions for the service you now need to open up the Services MMC
Control Panel -> Administration -> Services
Select the properties of the “ResetPassword” service (you just made that) and ensure the “Startup type” is “Automatic”. Select “Log On”, in there make sure the “Log on as:” is set to “Local System account” and that the “Allow service to interact with desktop” is checked. This will mean the service now starts as the OS does with a privileged account.
Last thing we need to do is configure our privileged service with a command to reset our administrator account’s password.
Start regedit and go to:
HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\ResetPasswordThis is the configuration area for our new service so we create a new subkey called “Parameters” and then two new values within that:
name: Application
type: REG\_SZ (string)
value: C:\\Unlock\\cmd.exe
name: AppParameters
type: REG\_SZ (string)
value: /k net user administrator **PASSWORD **/ACTIVE:YES/domainIMPORTANT! You need to change PASSWORD to be the new password for the administrator account and it must comply with your current password policy; complexity, length etc. If you don’t do this then it will simply not work and it wont tell you why! Make sure you do this correctly.
Having done all that you simply reboot the machine and let it boot normally. As the OS boots the service you have setup will run as a privileged user and run the command you setup above. At the login prompt you should now we able to login with your reset administrator account that the password you setup earlier!
Remember to disable the “ResetPassword” service and, as soon as you are happy, remove it entirely together with the C:\Unlock directory.
Comments and feedback gratefully received via twitter (at top of page). Good luck!
Sources:
www.petri.com (Reset Domain Admin Password)
Windows Troubleshooting
Microsoft (How to create a user defined service)
