No announcement yet.

windows 2003 server pw reset - knowledgebase error?

  • Filter
  • Time
  • Show
Clear All
new posts

  • windows 2003 server pw reset - knowledgebase error?

    Hi I have a 2003 R2 server I would like to reset the Domain Admin password on. I thought I would try the procedure at but am having issues with step 1 which states that I should logon as Local Adminstrator. Now I happen to know that the Local Admin password is not the same as the DSRM password, and when booting up into DSRM attempts to logon with the local admin password fail, only the dsrm password will work.

    Am I doing something wrong/is there a difference in 2003 R2 from the article, or is the article outdated!?

    Secondly assuming I can only run the tools mentioned in the article to reset the Domain Admin password, how could this be done if I dont have the DSRM password for instance?
    Last edited by dominicryan; 20th August 2009, 16:37.

  • #2
    Re: windows 2003 server pw reset - knowledgebase error?

    Have a look at the attached file. I have done this before on a DC. Took me around 4 hours or so but got there in the end.
    Attached Files


    • #3
      Re: windows 2003 server pw reset - knowledgebase error?

      Hi Dominic,

      The local admin password on a 2003 DC is indeed the AD restore password. This is what is being setup when you do a DCPromo. When in the DSRM, you are running the same copy of 2003 without the directory services running. That's all. There is no other local admin password, as when AD is running, the administrator password is an AD account, not a local one. In fact, with AD running, you cannot access ANY local accounts. Even the SYSTEM account is a AD computer object account.

      All methods that reset admin passwords without AD running will reset the DSRM password.

      If you have access via the DSRM password, then you can simply try this.

      At the desktop, run gpedit.msc. This brings up the local group policy editor.
      Add a startup script to this policy that runs the "NET USER ADMINISTRATOR {newpassword}" in a .cmd file.
      Reboot into AD.
      The site, domain and then the OU GPO's run, but also this new local policy runs. The cmd resets the administrator password during startup. As AD is now running, it is the domain admin password that gets reset. Now logon with the new password.

      This works on 2000, 2003 (and R2). I have not yet checked it on 2008. It is much easier that installing services via srvany or with screensavers (no offence meant to the writers or users of this method....I just like easy).

      Once done, simply run gpedit.msc again and delete the startup script.

      If you can't logon via DSRM, then, sorry, this won't help. The procedures outlined on the pasword reset pages do work, or you can look for a linux boot disk that resets them fine for 2000 and 2003. I have not tried with R2 or 2008.

      Hope this helps.

      Last edited by FillDee; 20th August 2009, 20:52. Reason: Smelling mistakes.......:)


      • #4
        Re: windows 2003 server pw reset - knowledgebase error?

        Thanks guys, my issue is that in a test environment I have built a 2003 r2 server with password1, then installed AD with a dsrm password2, and then afterwards reset the Domain Admin password to password3. Now starting up in DSRM I can only logon with password2 none of the other password work. This is only theoretical at the moment as my customer problably has lost the DSRM password and local password too!


        • #5
          Re: windows 2003 server pw reset - knowledgebase error?

          I'm not sure what you are expecting, but this is normal behaviour
          The DSRM password is nothing to do with the Domain Admin password, so changing the Administrator pass doesnt affect DSRM
          IIRC you can use NTDSUTIL to change the DSRM password
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd

          ** Remember to give credit where credit is due and leave reputation points where appropriate **


          • #6
            Re: windows 2003 server pw reset - knowledgebase error?

            Fortunatly the original issue is now resolved after finding a DC that was still logged in.

            However I'm still somwhat concerned that despite following the reset guides to the letter, i still have a virtual server that has a different DSRM password from the local password!


            • #7
              Re: windows 2003 server pw reset - knowledgebase error?

              As has been pointed out, there are no local user accounts on a DC, so there is no local administrator. And as has also been pointed out, the DSRM password is not the same as either the domain admin password created during dcpromo, or the password that was being used by the local Administrator account before the server became a DC.

              What you are seeing is to be expected.
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.