No announcement yet.

Win2003 Domain Controller lost Local Admin & Domain Admin pwds

  • Filter
  • Time
  • Show
Clear All
new posts

  • Win2003 Domain Controller lost Local Admin & Domain Admin pwds

    I think I tried everything I could find, the website it a great source of information. But to recap:

    System is a Windows Server 2003 which is a Domain Controller (so has AD enabled). I have not been able to recover either the Local Administrator or the Domain Administrator passwords. I believe the system to have been keep fully patched (so maybe some holes were closed by Microsoft updates since 2003 RTM + SP1 + windows updates which may stop some of the methods from working ?).

    The logon screen does not show a "NODENAME (This computer)" it only shows one entry in the drop down list which is that of the domain name. With careful use of mouse and keyboard it is possible to make the Domain dropdown display a blank value. But trying to login while this is the same makes no difference. This lack of "This computer" Is this normal ? (Note: I just looked at a few win2000 server with AD and they also only list their own domain in the drop down, so I guess thats normal).

    I have tried the following techniques.

    1) I have run Peter Nordhl Hagen's Linux based SAM/regedit. I have tried with a specified password and also with a "*" blank password option. Rebooting each time to test. I have also picked off the "Guest" account and unlocked it, set password never expired and set a specified password (and also "*" blank password). When I reboot the logon still indicates the Guest account is not activated. There were no errors reported by the Linux NTFS writing operations.

    I have also tried the same CD to modify the recovery console passwords to disable the need for an admin password from the system recovery console. However again no errors reported by the Linux NTFS write operation but the recovery console still asks for a password.

    It is as-if this tool does not do anything. Version 13/02/2006.

    2) Booted from BartPE, using the overwrite LOGON.SCR with CMD.EXE hack. Then rebooting on the Win2003 and waiting 10 to 15 minutes, I get a CMD.EXE. While booted on Win2003 I have tried to hijack a windows service EXE but found I did not have sufficient permissions to modify either the registry or the "C:\Program Files\..." area. So I rebooted into BartPE and was able to overwrite the EXE file to make those changes, but I was unsuccessful in my first attempt with this. I think this maybe because I renamed the FIXPASSWORD.CMD (aka resetpass.cmd) to HIJACKEDAPP.EXE and maybe I need to rethink that approach as I don't think Windows uses magic numbers to detect a .CMD from a .EXE. This leads into the next point.

    3) I added "insidepro" to BartPE but the option from the menu when booted is greyed out. Even though when building he ISO BartPE's builder did not indicate any errors. I have not researched into this situation much more than seeing it was not available to me to use anyway.

    With "insidepro" the add-on claims to allow me to edit the registry, I'm thinking this would have allowed me to change the path of the Hijacked server in CurrentControlSet\Services\HijackedApp\... to point to a .CMD file.

    4) [Duh.. Forgot to add this in my first edit of this post] I have been using F8 Directory Service Restore Mode on bootup to try to again Local Administrator access. When DSRM boots up it does a chkdisk, if it finds it unclean it forces a reboot. Going into DSRM option with cleanly unmounted filesystems gets me to a standard windows login screen with only Username/Password (no domain) box. I am unable to login from this, I am expecting this to be the "Local Administrator" login, which I was thinking all the offline password reset tools would be able to deal with. Can anyone confirm that they have first hand experience with the same setup in gaining login from DSRM.

    5) Purposely Recite And Yearn In Noble Guise, however I didn't observe any guidance from a higher force while doing so .

    Maybe I could try the registry editor from Petter Nordahl Hagen's Linux disc, to change something. Then use the LOGON.SCR hack to run REGEDIT to confirm the change was really committed, before I discount PNHs disc as just not working in any confirmable way.

    I am a systems developer. While this situation has been been interesting and helped me understand more about these matters, does anyone happen to know of a definitive technical reference which explains exactly how the Windows platform local and AD account managent keep its records on disk and the differences between the various generations of server platform NT/2000/2003.
    Last edited by OdinTrisk; 7th January 2007, 19:20.

  • #2
    Re: Win2003 Domain Controller lost Local Admin & Domain Admin pwds

    In understanding more about SRVANY.EXE INSTSRV.EXE I think my renaming of .CMD into .EXE was doomed to failure. I think I need to have to modify the registriy:

    CD "C:\TEMP\Domain Controller Password Reset"
    MOVE *.* ..
    CD ..
    RMDIR "Domain Controller Password Reset"

    Then edit the registry using an offline editor:

    HKLM\SYSTEM\CurrentControlSet\Services\Hijacked\Im agePath="%SystemRoot%\system32\cmd.exe /c %SystemDrive%\\Temp\\change-admin-passwd.cmd" [REG_EXPAND_SZ]

    So what tool from run from BartPE that allows editing of the registry.

    There is also discussion in a recent thread about needing to add a SLEEP delay of maybe 2 minutes to ensure that the reset of the infrastructure is started and running before issuing the "NET USER ..." command. I suppose I can create a SLEEP.EXE in Microsoft Visual Studio and call it early on in "change-admin-passwd.cmd"



    • #3
      Re: Win2003 Domain Controller lost Local Admin & Domain Admin pwds

      You are searching the forums and that is good.

      Sleep.exe comes w/ the W2K Resource Kit. Looks like it also comes w/ the W2K3 Resource Kit:

      Sleep.exe appeared to help when working with a domain workstation. I don't believe the DC will have the same issues.

      The LOGON.SCR trick stopped working long ago:

      I'm going to tell you if you can get the INSTSRV / SRVANY bit to run, you'll be able to get control as you'll come in as a fully privileged SYSTEM session. Or if you can find a service to hijack and have the ability to write your own, that'll work too.

      So if you can edit that registry to get SRVANY in there, look at the following links and you may be able to piece it together:

      I prefer getting a CMD box to pop up. I'm thinking having SRVANY launch a "SOON 120 /INTERACTIVE CMD" (vs. AT) may be the ticket.

      Do let me know how it goes and if you need any more help.


      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

      2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.