Forgot the Administrator’s Password? – Change Domain Admin Password in Windows 2000 AD

Forgot the Administrator’s Password? – Reset Domain Admin Password in Windows 2000 AD
Note: In order to successfully use this trick you must first use one of the password resetting tools available on the Forgot the Administrator’s Password? page.

The reason for that is that you need to have the local administrator’s password in order to perform the following tip, and if you don’t have it, then the only method of resetting it is by using the above tool.
Read more about that on the Forgot the Administrator’s Password? page.
Update: You can also discuss these topics on the dedicated Petri.co.il Forgot Admin Password Forum.
Lamer note: This procedure is NOT designed for Windows XP, nor will it work on Windows Server 2003. For that you should read the Forgot the Administrator’s Password? – Change Domain Admin Password in Windows Server 2003 AD page.
Reader John Simpson added his own personal note regarding the changing of Domain Admin passwords on Windows NT domains and Windows 2000 Active Directory domains (HERE). I will quote parts of it (thanks John!):
As stated above, the very useful “Offline NT Password & Registry Editor boot disk” will only let you reset the password for the MACHINE Administrator account, not the DOMAIN Administrator account. As you probably know, on a Windows 2000 server which is an Active Directory controller, you CANNOT log into any machine-level account. Which means that resetting the MACHINE Administrator password is pretty much useless.
Or so it would seem. It turns out that “Directory Service Recovery Mode” uses the MACHINE-level accounts, since the whole point of this mode is that the AD control databases may be corrupted and you need a way to manually edit them (presumably using some high-priced third-party software package…)
I (John Simpson – DP) was able to reset the password on the DOMAIN Administrator account using the following procedure:

  1. Use the Offline NT Password & Registry Editor disk to reset the MACHINE Administrator password to “no password”.
  2. Reboot, hit F8, and enter “Directory Service Recovery Mode”. The machine will boot up as a standalone server without any Active Directory support.

 

  1. When the login screen appears, hit CTRL-ALT-DEL and log in as “Administrator” with no password. This is the MACHINE Administrator account, and does not have the ability to modify anything specific involving the Active Directory information, although it can backup and restore the physical files which contain the AD databases.
  2. Run “REGEDIT.EXE” (without the quotes). Navigate to

HKEY_USERS\.Default\Control Panel\Desktop

Lamer note: Make sure you write down the default values BEFORE changing them. You could also just PRINT SCREEN your registry editor display. The best option is to just backup the values to a .REG file by selecting the DESKTOP key and then selecting EXPORT from the FILE menu.
After you made sure you know what the default values are, change the following values:
SCRNSAVE.EXE – change from logon.scr to cmd.exe
ScreenSaveTimeout – change from 900 to 15
ScreenSaveActive – change to 1 (if it wasn’t 1 already)

  1. Reboot normally. When the box appears asking you to hit CTRL-ALT-DEL to log in, just wait.

 
After 15-30 seconds you will see a command prompt appear (since that is the screensaver).

  1. In the command prompt, type the following command:

MMC DSA.MSC
Lamer note: There is a space character between the “mmc” and the “dsa.msc”. Also, note that the DSA.MSC file is usually located in the SYSTEM32 subfolder of your WINDOWS or WINNT folder.
More lamer notes: DSA.MSC is actually the executable name for Active Directory Users and Computers, which in turn is the main tool for managing users, groups and computers in Windows 2000 Active Directory.
 
This should bring up the management console where you can edit users’ passwords, including the password for the Administrator account.
 

  1. After resetting the Administrator password, exit the management console and type the command EXIT in the command prompt window.
  2. Hit CTRL-ALT-DEL and log into the DOMAIN Administrator account using the new password!

Don’t forget to undo the changes you made to the registry (see step #4, lamer note), or you will always have a command prompt with Domain Administrator rights appear whenever somebody logs out.
You can also discuss these topics on the dedicated Petri.co.il Forgot Admin Password Forum.