Announcement

Collapse
No announcement yet.

Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

    We have gained a new client and taken control of a server that the previous admin had removed administrator rights from the administrator group. Thus the administrator account cannot do what we need. There is another user account that we beleive that may have admin right but we're not sure.

    What utility should we use to change that user accounts' password?
    Is there a utility that we can use to re-grant administrative rights to the administrator's group?

    Forgot to add -
    This is a Win Server Small Business 2003 with Active Directory

    Thanks,
    GTG
    Last edited by GTG; 8th December 2006, 02:06.

  • #2
    Re: Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

    If your doman administrator account has been removed from the "Domain Admins" group, he still has rights to add members to the Domain Admins group. I seriously doubt that anyone unprofessional enough to have done this would have covered all the angles. So - log in as the original "Administrator" account in the domain, and simply add yourself back into the "Domain Admins" group.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

      From what we can see, this is what he did -
      He renamed the Administrator account to ASD, he then created a new Administrator account that has no administrative priveledges. He then remotely logged in as ASD and disabled the ASD account.

      Is there a way to somehow enable an account and change it's password if you have no administrator priveleges?

      He also disabled some services from starting by changing their startup to manual and with no administrator account functioning, we can't reenable those services and get their database to run.

      Thanks,
      GTG

      Comment


      • #4
        Some things to try...

        First off,

        Go here and look at the free tools (again).

        http://petri.com/forgot_administrator_password.htm#1

        The first tool mentioned is good to use because it generates an UPLOAD.TXT file with all the local accounts listed, so you can see what you have to work with.

        The second tool, the LINUX CD password reset utility, will also non-intrusively tell you what accounts are on the local server and their enabled status. The intrusive part is that it will allow you to enable a user AND reset the password too, so at the point, it would write to the drive.

        The third choice is BARTPE with SAMInside plug-in, scsi and network card plugins bootable CD. (I have not had any luck getting the USB plug going, and time is usually of the essence in these issues, so I took a pass last week on making my own USB plug-in. Its on my TO-DO list, honest!)

        Create the CD on R/W media (this can take time to tweak and get right) boot the server with CD in the tray to a "lite" version of XP which runs from the ISO on the CD and using SAMInside, view the SAM of the server and dump it to a file on a diskette called PWDUMP. It is a text file of all the local accounts with their hashes (read: encoded passwords) in an import-friendly format.

        Take this A: diskette over to your computer. Install LMCrack from the internet. Import the PWDUMP file into LMCrack. Supposed to crack a hash within 60 seconds w/o any additional configuration needed.

        Cain and Abel is another cracking program. Passwords Pro is yet another cracking program. Both require dictionary or rainbowcrack DB downloads and additional configuring to get going.

        Hope this helps!
        StillAsleep Stacy
        It's not what you know, it who's on your IM list.

        Comment


        • #5
          More on SBS

          I worked the SBS group at M$ for awhile.


          Do you have another server in your domain (member server) that you can access locally, or is the SBS being the all-in-one box?

          StillAsleep Stacy
          It's not what you know, it who's on your IM list.

          Comment


          • #6
            Re: Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

            Originally posted by GTG View Post
            From what we can see, this is what he did -
            He renamed the Administrator account to ASD, he then created a new Administrator account that has no administrative priveledges. He then remotely logged in as ASD and disabled the ASD account.

            Is there a way to somehow enable an account and change it's password if you have no administrator priveleges?
            If you can come is as SYSTEM. Unfortunately, the alt-logon (logon.scr) trick doesn't work anymore.

            Unless some cracking SW will enable a disabled account, no amount of password cracking will fix this problem if there is no way to logon to a disabled "ASD" regardless of knowing the password and there are no other admin accounts.

            So how to come in as SYSTEM with a minimal amount of disruption to the existing setup?

            Possibly the "Repair" approach (w/ Shift-F10 ???) will do this -- I just don't know as I haven't tried it personally. Also, this is not a low impact solution:

            Originally posted by arberibrahimi View Post
            Instead of using recovery console, try windows repair. If windows xp instalation finds your existing crashed XP use windows repair.

            Windows repair most of times saves your documents and only repairs errors.

            Here is a link that can help in this case:
            http://www.michaelstevenstech.com/XPrepairinstall.htm

            Tell me if this was helpfull
            Originally posted by rvalstar View Post
            If you just do the repair without the Shift-F10, doesn't it reset the SAM anyway and ask you for a new Administrator password?

            If not (been a while since I did a repair), here's a nice link to a recipe for this Shift-F10 approach:

            http://pubs.logicalexpressions.com/p...cle.asp?ID=305

            As always, no express or implied warranty nor any recommendation to pursue this approach.
            The only other way I know to get a CMD box as a fully privileged SYSTEM is to add or hijack a service. If you can write to the registry on the non-admin Administrator account, modifying the SRVANY trick here:

            http://www.petri.com/reset_domain_ad...er_2003_ad.htm

            may work and allow you to spawn a copy of USRMGR or ??? so you can enable ADM.

            If you can't write to the registry but can find an existing non-critical service (VPN, AV, etc.) that autostarts and you can rename the EXE, I have a VS.NET service you can drop in place that will do the equivalent of the alt logon trick and allow you to run USRMGR, etc.

            Just a thought.
            Cheers,

            Rick

            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

            2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

            Comment


            • #7
              Re: Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

              Originally posted by rvalstar View Post
              The only other way I know to get a CMD box as a fully privileged SYSTEM is to add or hijack a service. If you can write to the registry on the non-admin Administrator account, modifying the SRVANY trick here:

              http://www.petri.com/reset_domain_ad...er_2003_ad.htm

              may work and allow you to spawn a copy of USRMGR or ??? so you can enable ADM.

              If you can't write to the registry but can find an existing non-critical service (VPN, AV, etc.) that autostarts and you can rename the EXE, I have a VS.NET service you can drop in place that will do the equivalent of the alt logon trick and allow you to run USRMGR, etc.

              Just a thought.
              Rick, I owe you a huge thanks.

              I tried the logon.scr method on my Win2K Server box before I learned that the hole had been "fixed", and (not surprisingly) it didn't work. Then I came across your above suggestion, gave it a shot, and I was able to successfully reset my domain admin password and regain access to the box (followed by muffled cheers and a quiet 'happy dance' due to the late hour and the fact my wife was already asleep down the hall...)

              I'll break it down into rough steps, in case others might find this useful--but first, a disclaimer: I am not a server guru, just a hack that likes tinkering with things on my own. Follow my directions at your own risk, and certainly heed any warnings/suggestions as provided by those on this forum that are certainly more knowledgeable than myself!

              Here it is:
              1. Follow the directions for the 'logon.scr' trick to replace logon.scr with a renamed copy of cmd.exe. In my case, I had mounted the HD on another computer as a slave so I could extract (backup) data files, so I made the change there. There are numerous other ways to accomplish this, though.
              2. I rebooted the computer and waited for the logon screensaver to pop up a cmd window. From the root path, I ran 'mmc services.msc' to determine which services were automatically loaded and identify a non-essential service to hijack. This computer was set up with NAV, so that seemed to be the easiest target.
              3. From the cmd prompt, I ran regedit and navigated to 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces', then located the particular service I wanted to hijack. In my case, it was named 'NAV Auto-Protect'. I then exported this key to a temp folder for backup to be restored at a later point.
              4. From here, I pretty much followed the instructions on Daniel's W2K3 page. I say "pretty much" because I redirected ImagePath to srvany.exe and then added the two parameters that Daniel listed (Application set to cmd.exe and add AppParameters to change the domain password). This worked out fine, but there may be a more direct way to do this (i.e. point ImagePath directly to cmd.exe?). I also modified the DisplayName as a double-check for the next step...
              5. From the services.msc window, I opened the properties window on the service I was editing and verified that the newly changed properties appeared for the NAV service (modified DisplayName and ImagePath). This was just my way of confirming that I was a) changing the correct service, and b) that the changes were in fact 'accepted'.
              6. I then restarted the computer, waited for the services to start, and logged in with the password entered in step 4.
              7. Celebration commenced here.
              8. You're not done yet! Don't forget to replace the renamed logon.scr (actually cmd.exe) with the original (backup) version that you saved in step 1, and then restore your registry entries by importing the backup you made in step 3. To be thorough, delete the Parameters key as well. Reboot and make sure the original service starts up correctly.


              Hope that someone finds this useful!


              Erik

              Comment


              • #8
                Re: Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

                I'm glad it worked out.

                You are now a member of a rather elite club that has successfully commandeered a box without cracking a password.

                Bravo.
                Cheers,

                Rick

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                Comment


                • #9
                  Re: Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

                  [QUOTE=rvalstar;49137]

                  Possibly the "Repair" approach (w/ Shift-F10 ???) will do this -- I just don't know as I haven't tried it personally. Also, this is not a low impact solution:


                  Hi, learning alot from your messages. I tried this, following your link, but the installation wouldn't start without a password. So I did not getto the bit where shift + F10 is used.

                  Can I press shift+F10 at some other stage? e.g. when it is copying files?

                  Comment


                  • #10
                    Re: Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

                    Originally posted by kachiri View Post
                    Hi, learning alot from your messages. I tried this, following your link, but the installation wouldn't start without a password. So I did not getto the bit where shift + F10 is used.

                    Can I press shift+F10 at some other stage? e.g. when it is copying files?
                    So where exactly in the process here did you get the request for a password ?:

                    http://pubs.logicalexpressions.com/p...cle.asp?ID=305

                    Please provide the step # and any other detail you may have. Also, what OS and what CD are you using?

                    I have successfully done this (recently) w/ a W2K Pro SP1 CD. Still waiting to schedule time w/ another friend to do the same operation w/ Windows XP Media Edition.
                    Cheers,

                    Rick

                    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                    2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                    Comment


                    • #11
                      Re: Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

                      after booting up from the recovery CD, first there is choice to press 'R' for repair. I did not choose this, and chose, as instructed, install windows. Everthing went as expected...it started copying files etc and then I was waiting for the intallation bit, as described in the link. But just before starting to install, it asked for a password. I tried two passwords - one blank because I have reset to remove
                      passwords and one the original password that I used to use as administrator. It wouldn't accept them though and I had to switch off to get out.

                      Comment


                      • #12
                        Re: Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

                        I am using XP home, updated with SP2 etc and the CD is the original SP1 CD.

                        Comment


                        • #13
                          Re: Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

                          Is this CD a Windows XP Home installation CD or some kind of "recovery CD"?

                          What is the complete title on the CD?
                          Cheers,

                          Rick

                          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                          2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                          Comment


                          • #14
                            Re: Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

                            it is a Fujitzu Siemens Product Recovery CD Windows XP Home SP1 supplied for a Amilo laptop.

                            Comment


                            • #15
                              Re: Administrator Rights Removed and DOn't Have Password For Other Admin Accounts

                              Originally posted by kachiri View Post
                              it is a Fujitzu Siemens Product Recovery CD Windows XP Home SP1 supplied for a Amilo laptop.
                              I'm wondering how this may differ from a standard WXP installation CD. What instructions does Fujitzu give on using this disk to recover the system?
                              Cheers,

                              Rick

                              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                              2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                              Comment

                              Working...
                              X