Announcement

Collapse
No announcement yet.

Locked out of 2008 domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Locked out of 2008 domain

    I just finished reading the article on this site titled :

    Forgot the Administrator’s Password? – Change Domain Admin Password in Windows Server 2003 AD

    I ended up here because I made one of the quintessential bone head moves. Once I realized my AD user account had been locked out (only account in the Domain admins group). I realized I was screwed because I had previously disabled the Domain Administrator account. Having no other user accounts in the domain admins group and our default domain policy requiring an admin unlock you account.....well you get it.

    I guess what I'm getting at is, this article describes how to potentially reset the Domain administrators password, but what I need to due is simply find a way to enable our Domain administrator account so that I can log on as the Domain admin and unlock my personal user account. If the process described in the article enables this account in the process...fantastic! If not, is anyone aware of any other ways to achieve my goal?

    We are running a Windows server 2008 domain with two 2008 DC's, one 2008 file server, and one 2003 SQL server. I am currently still able to log into my workstation with cached credentials, but obviously cannot remote into any of our 2008 servers. Oddly enough I am able to log into our one 2003 server? Also, I did still have rights to access our network drives until I ran the command: net user administrator /active:yes /domain. Unfortunately, the DC detected that as a threat and I am no longer able to access any network resources The other users on the network have been working without interruption (seems that I just shot myself in the foot...well and anyone who would like to administer our domain).

    I'm just hoping there's a way to remedy this without having to nuke Active Directory, rejoin all my machines, and reconfigure rights and permissions. I just wanted to get this post out there while I tried the procedure described in the article above.

    Thanks for your time.. I appreciate all your efforts.

    Regards,
    Mike

  • #2
    Re: Locked out of 2008 domain

    Ok it looks like the process I posted a link to above did not do the job. After resetting the local admin password with a boot disk, the reset didn't appear to have worked. I tried several times to login through safe mode, but with no luck. Finally I attempted logging in via Directory Service Restore Mode using the newly reset (blank) password and was successful. From there I followed the remainder of the procedure (regedits, service configs...) in an attempt to reset the Domain administrator password. After completing the procedure, rebooting and starting windows normally I was not able to login as the domain admin with the new password. I received the message "Your account has been disabled....". So now I'm still up the creek. If anyone has any idea's or suggestions please post. Any help is greatly appreciated.


    Regards,
    Mike

    Comment


    • #3
      Re: Locked out of 2008 domain

      Get a better boot disk :P

      My BART disk allows me to reset a password, enable/disable a account, delete or create a account. I made this disk like 3 years ago, so I can sadly not tell you the application that I picked (it jsut called AD admin reset).

      Failing that, you should be able to get a backup of the server, reload and set AD backup, then backup your AD. The restore your first backup, then do a AD restore. Then you have to stuff around with the GUID's and such.

      At this point I would get a notepad and make a Pro and Con coloum, with "Starting from dot" at the top, then list the amount of problems this is making compaired to the number of problems a server reinstall would cause.

      Wofen
      Good to be back....

      Comment


      • #4
        Re: Locked out of 2008 domain

        I think i'm up the creek on this one. Does anyone know the best procedure for taking down AD , Reinstalling windows on my DC's and rebuilding my network?

        Comment


        • #5
          Re: Locked out of 2008 domain

          On a whim I gave the process included in my first post another attempt. Before I starting I decided to read through the whole document once over just to make sure I was following the steps correctly ...and then it dawned on me that the registry entry being added was intended to reset the domain admin password. This whole time I was hoping that this would change and enable the account at the same time. I changed the registry value to "net user administrator /active:yes /domain" and presto! The procedure worked perfectly. I can't believe that this didn't occur to me earlier. Glad I gave it one more go. Cheers!!!

          Comment

          Working...
          X