No announcement yet.

Windows 2003 - recover password

  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows 2003 - recover password

    It doesn't work because ......

    In my testing I've found the cmd shell that you get in W2k3 when you perform the registry change which modifies the default screensaver to cmd.exe runs in the context of the "LOCAL SERVICE"
    account. In previous versions of NT4/2000 the screensaver (the cmd.exe
    shell) would run as the SYSTEM account.

    The "LOCAL SERVICE" account doesn't have the necessary permissions to use
    the described techniques to change the Domain Admins password (I used the
    default Administrator account in my testing).

    I'm all for security, but this seems like a potential nightmare. Physical
    security is really the issue at hand here. All Unix system can be broken
    into with a bootable system CD-ROM. I personally see a need for having the
    ability to recover from a situation where all passwords are compromised
    without having to resort to restoring the entire AD from backup.

    Has anyone else tried this? Has anyone succeeded?



  • #2
    Well.... you can run but you can't hide

    1) You need a valid AD account that can logon to the DC. It does not have to be Domain Admin. Lets call that mortal account MYDOM\Antid0t

    2) Logon in Directory Restore Mode and navigate to
    HKLM\Software\Mocrosoft\CurrentControlSet\Windows\ RunOnce

    3) Add a new value:
    Type: String (REG_SZ)
    Name: MightyCMD
    Data: at 17:51 /INTERACTIVE cmd.exe
    You will have to adjust the time (make sure you leave yourself enough time to reboot and logon)

    4) Reboot normally and logon with MYDOM\Antid0t

    5) Wait till the hour you specified at the registry.

    6) See command shell popup

    7) Type "whoami" at the prompt...

    8 ) You should be NT AUTHORITY\SYSTEM

    9) Continue according to Daniel's instructions...

    The reason 2 new account have been introduced in 2003 is that Local System Account has way too many power over the system and the system could be compromised by exploiting almost any system service. The Microsoft's solution was to introduce 2 less powerfull accounts (Local Service and Network Service) and make some services run in the context of those accounts instead of LSA...

    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3
      Your idea is very interesting and possibly a valid method (I haven't tested it yet). Here are the problems that I see:

      The problem with this is that "You need to have a valid Domain Account which can log on to the DC".

      If the AD infrastructure is properly secured, the only users who can log on to a DC are the Domain Admins.

      By default Windows 2003 DC's only allow the following users to log on locally:

      Account Operators
      Backup Operators
      Print Operators
      Server Operators

      So at a bare minimum you'd need to be in one of these groups. The Windows Server 2003 Security Guide recommends the following for log on locally

      Backup Operators
      Power Users

      Other higher security recommendations suggest only these users be allowed to log on locally

      Backup Operators

      My quest is to try and find a way to do this is ALL the users who are allowed to log on to a DC locally are loced out for some reason or another.

      Thanks for the reply!!



      • #4
        I know.. I know...

        I have another idea I am going to check... Will keep you posted.

        I will try to install a new service which will spawn a cmd non-interactive shell, which will run a batch file, which will try to change the domain admin password in LSA context
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"


        • #5
          OK here we go...

          Bottom line: IT WORKS !!!

          1) Grab instsrv.exe and srvany.exe from
          2) Boot into Directory Restore Mode and copy the 2 files to c:\
          3) From the prompt run:
          instsrv pwdReset c:\srvany.exe
          4) import the following into the registry:
          Windows Registry Editor Version 5.00
          "Application"="c:\\windows\\system32\\cmd.exe /c c:\\cmd.bat"
          5) Create c:\cmd.bat that contains the following line:
          net user administrator Windows2003 /domain
          6) Goto Services snapin and make sure the new service (pwdReset) is set to startup at boot time.

          7) Reboot normally.
          8 ) Logon with
          user: Administrator
          password: Windows2003

          Things to watch out: the tool I used to install the service is pretty old and although it can be used to install the service, it will fail to remove it. The easiest way to remove the service is to delete it from the registry by removing the following keys:
          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pwdReset
          (you will have to change permissions on the keys to be able to delete those)

          Just tested it on a brand new W2K3 domain and it works !!! Pretty intrusive, but does the job

          - me for coming up with idea to do the password change by utilizing a service and digging up the proper app from the web.

          - my buddy ezaton for suggesting to do the password change throught a batch script.

          - Google: for being so damn good with coming up with the right tool for the job.
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"


          • #6
            Excellent solution (the second one with the installed service) !!! Successfully tested.

            Many Kudos to you

            One question that I have regarding the first solution which I could not get to work. How were you able to schedule a task as a normal user? When making the registry entry for the at job and logging on as the user I got no command prompt at the scheduled time. While logged in as the user I launched a command prompt and typed both the AT command and the SCHTASKS command and got access denied to both.

            I even changed the permissions on AT.EXE to Everyone=Full and still got the error message.

            I believe that the ability to schedule tasks as a normal user is restricted via user rights.

            Were you actually able to do what you described, or was this just theory at the time you wrote it? If you were able to get it to work ... how?




            • #7
              When I think about it...

              Actually you are correct about the first one.
              I was to lazy to reboot...

              The right to submit scheduled jobs defaults (if I am not mistaken) to Administrators, Server Operators and Backup Operators.
              At first I assumed that RunOnce will run in LSA context.
              WRONG ! it runs in logged on user context and I was able to submit the AT job because I logged in as a domain admin.
              BUT, you can still use CACLS utility and change the permissions on c:\winnt\Tasks folder to enable any user you want to submit scheduled tasks (as long as you are local Administrator). Does not help in the current situation, so you can disregard this approach (though might work if you run CACLS from Directory Restore Mode and later logon as mortal domain user)

              The second solution I actually tested more thoroughly and I am glad it worked for you too.
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"


              • #8
                1 1 was a racehorse.
                2 2 was 1 2.
                1 1 1 1 race 1 day,
                2 2 1 1 2


                • #9
                  Soon to become an article! Great work folks! This should be used as an example for all of us.

                  Daniel Petri
                  Microsoft Most Valuable Professional - Active Directory Directory Services
                  MCSA/E, MCTS, MCITP, MCT


                  • #10
                    reset admin password for AD on windows 2003 server - failed

                    Hi guys,

                    thanks a lot for your very ingenious thoughts - however it's not working.
                    Was changing account policies and implementing more severe password policies on a windows 2003 server SBE, but as a result locked myself out - the AD domain administrator password is not accepted anymore.
                    Logged into restore mode and followed your procedure, but without success - any suggestion?
                    thanks in advance for your help



                    • #11
                      Technical Consultant

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"


                      • #12
                        What are the changes you did in the GPO ?
                        What are the error messages you get ?
                        What does the event log say ?
                        Guy Teverovsky
                        "Smith & Wesson - the original point and click interface"


                        • #13
                          What if the student user has changed the administrator account name to something eles. Can you substitute the new account name in the previous solution?

                          THE BEAR


                          • #14
                            Originally posted by larrypatrickjohnson
                            What if the student user has changed the administrator account name to something eles. Can you substitute the new account name in the previous solution?
                            Yes. And if you have read the thread you will see that all you need to do is to substitute the account name in the batch file:
                            net user administrator Windows2003 /domain
                            P.S.: please start a new topic - there is no need to kludge this thread.
                            Guy Teverovsky
                            "Smith & Wesson - the original point and click interface"