Backup and reinstall - no server access

[Antony Gelberg]

Hi,

We have a Windows Server 2003 with a lost Administrator password. It is
the PDC, and we don't have local or domain passwords.

We have tried the procedure at
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
and didn't get very far. After resetting the local admin password with
the rescue CD, we started up in Directory Services mode, but the new
password wasn't recognised.

The only option that I can see is to boot from a Linux live CD (e.g.
Knoppix), plug in a USB hard disk, copy the files on the Windows
partition to the external disk, reinstall Windows Server 2003, recreate
the users within AD, copy back their profiles from the external hard disk.

Will this work? Is there an easier way to do this? Surely we can't be
the only people in this position. How can we restore their mailboxes,
which I don't believe are part of their profiles?

Please let me know if this isn't the best newsgroup for this issue.

Antony

 

[Pegasus \(MVP\)]

Hi,

We have a Windows Server 2003 with a lost Administrator password. It is
the PDC, and we don't have local or domain passwords.

We have tried the procedure at
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
and didn't get very far. After resetting the local admin password with
the rescue CD, we started up in Directory Services mode, but the new
password wasn't recognised.

The only option that I can see is to boot from a Linux live CD (e.g.
Knoppix), plug in a USB hard disk, copy the files on the Windows
partition to the external disk, reinstall Windows Server 2003, recreate
the users within AD, copy back their profiles from the external hard disk.

Will this work? Is there an easier way to do this? Surely we can't be
the only people in this position. How can we restore their mailboxes,
which I don't believe are part of their profiles?

Please let me know if this isn't the best newsgroup for this issue.

Antony

The usual way to solve this problem is to boo the machine with
a boot disk from here:
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html,
then to reset the administrator's password to a blank.

It is also common to have at least two admin accounts on every
machine, with one of them locked away, the same as you never
have a car with one single set of keys.

 

[Antony Gelberg]

The usual way to solve this problem is to boo the machine with
a boot disk from here:
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html,
then to reset the administrator's password to a blank.

It is also common to have at least two admin accounts on every
machine, with one of them locked away, the same as you never
have a car with one single set of keys.

Thanks for your reply. We did in fact use the Nordahl tool that you
refer to in your link. This was recommended by the original link that I
posted.

As for having two administrator accounts, we have only recently been
asked to support this machine, so it's Not Our Fault.

Bearing this in mind, I refer back to my original post. Will it work?
If not, what are the options?

 

[Pegasus \(MVP\)]

Thanks for your reply. We did in fact use the Nordahl tool that you
refer to in your link. This was recommended by the original link that I
posted.

As for having two administrator accounts, we have only recently been
asked to support this machine, so it's Not Our Fault.

Bearing this in mind, I refer back to my original post. Will it work?
If not, what are the options?

When I'm asked to take over a new machine (which happens
frequently) then the first thing I do is to create a couple of my own
admin accounts. It's saved me on countless occasions.

If the Nordahl boot disk fails then you have these options:
- Check Google for similar tools.
- Check Google for a password cracker tool.
- Move the SAM file sideways. This has the effect of
deleting all existing accounts and creating one single administrator
account with a blank password.

 

[Antony Gelberg]

When I'm asked to take over a new machine (which happens
frequently) then the first thing I do is to create a couple of my own
admin accounts. It's saved me on countless occasions.

Sure, but it was like this when we got there.

If the Nordahl boot disk fails then you have these options:
- Check Google for similar tools.
- Check Google for a password cracker tool.
- Move the SAM file sideways. This has the effect of
deleting all existing accounts and creating one single administrator
account with a blank password.

It's funny to think that people pay thousands of pounds for this
software, with it's bloated infrastructure, and yet, it can't do some of
the simplest things without jumping through hoops.

Thanks anyway.

 

[Pegasus \(MVP\)]

Sure, but it was like this when we got there.


It's funny to think that people pay thousands of pounds for this
software, with it's bloated infrastructure, and yet, it can't do some of
the simplest things without jumping through hoops.

Thanks anyway.

You might find that other OSs work in pretty much the same way.

Many people would argue the opposite from what you argue: They
would say that a really secure system should be uncrackable, even
when you have physical access to it.

 

[Pegasus \(MVP\)]

Sure, but it was like this when we got there.


It's funny to think that people pay thousands of pounds for this
software, with it's bloated infrastructure, and yet, it can't do some of
the simplest things without jumping through hoops.

Thanks anyway.

After rumaging around in my box of useful tips I found these:

1) Make a backup of logon.scr then replace it with cmd.exe.
Log off. Wait 15 minutes. Win2000 will start the logon-screensaver.
Or so it thinks. Actually it just runs whatever .exe file is currently
called logon.scr, and it runs it in the "SYSTEM" context.
Start a Command Prompt and run this command:
net user administrator somepassword
Warning: I have a vague recollection reading somwehere that MS
have plugged this hole in some service pack.

2) Get the tool called "l0phtCrack" and apply it to SAM. Depending
on the quality if the password, this might take a while.

 

[Lanwench [MVP - Exchange]]

In Antony Gelberg <[email protected]> typed:

It's funny to think that people pay thousands of pounds for this
software, with it's bloated infrastructure, and yet, it can't do some
of the simplest things without jumping through hoops.

Thanks anyway.

Well, in addition to Pegasus' reply (with which I wholeheartedly agree), you
must remember that systems--regardless of platform--are only as good as
those who manage them.

Some*one*, not some*thing*, lost the credentials that they ought to have
kept in a safe place. I know this wasn't you, but it's not Microsoft's
fault, either. When someone lock their keys out of their car, is it Ford's
fault? I would like to think that it isn't so easy to get into a locked
car - otherwise, why bother locking it?

I don't know of any password recovery tools that work on anything other than
the local SAM - and this is a domain controller, so it doesn't have one. I'd
love to hear how you make out with this as I'm really curious to find out if
anything works. Please keep us posted, and good luck.

 

[Sid Knee]

In Antony Gelberg <[email protected]> typed:

Well, in addition to Pegasus' reply (with which I wholeheartedly agree), you
must remember that systems--regardless of platform--are only as good as
those who manage them.

Some*one*, not some*thing*, lost the credentials that they ought to have
kept in a safe place. I know this wasn't you, but it's not Microsoft's
fault, either. When someone lock their keys out of their car, is it Ford's
fault? I would like to think that it isn't so easy to get into a locked
car - otherwise, why bother locking it?

I agree with your sentiments and would add that it's ludicrous (to say
the least) to suggest that if you pay a high price for software, you
should at least get easy-to-crack password security for your money!

The reference to Ford might not be the best parallel though. Even though
locking yourself out is not Ford's fault, they (and other major
manufacturers) nevertheless provide assistance to you to regain entry.
Main dealers have master keys for just this purpose.

 

[Antony Gelberg]

I agree with your sentiments and would add that it's ludicrous (to say
the least) to suggest that if you pay a high price for software, you
should at least get easy-to-crack password security for your money!

I didn't say that the password security should be easy to crack, rather
that if it's lost, then the administrator should have a get-out (e.g.
single-user mode in Linux).

The reference to Ford might not be the best parallel though. Even though
locking yourself out is not Ford's fault, they (and other major
manufacturers) nevertheless provide assistance to you to regain entry.
Main dealers have master keys for just this purpose.

Indeed.

 

[Antony Gelberg]

After rumaging around in my box of useful tips I found these:

1) Make a backup of logon.scr then replace it with cmd.exe.
Log off. Wait 15 minutes. Win2000 will start the logon-screensaver.
Or so it thinks. Actually it just runs whatever .exe file is currently
called logon.scr, and it runs it in the "SYSTEM" context.
Start a Command Prompt and run this command:
net user administrator somepassword
Warning: I have a vague recollection reading somwehere that MS
have plugged this hole in some service pack.

2) Get the tool called "l0phtCrack" and apply it to SAM. Depending
on the quality if the password, this might take a while.

Thanks a lot. I'm going to try (2) if I can get at SAM, otherwise,
there is an online cracker at http://www.loginrecovery.com/ which takes
a checksum (I assume) from a boot floppy which they provide. This could
be perfect. My worry is it will pick up the same password that
Nordahl's recovery tool didn't reset properly.

 

[Pegasus \(MVP\)]

Thanks a lot. I'm going to try (2) if I can get at SAM, otherwise,
there is an online cracker at http://www.loginrecovery.com/ which takes
a checksum (I assume) from a boot floppy which they provide. This could
be perfect. My worry is it will pick up the same password that
Nordahl's recovery tool didn't reset properly.

Nordahl works best when the admin's password is reset to a blank.

 

[Sid Knee]

Antony Gelberg wrote:

I didn't say that the password security should be easy to crack, rather
that if it's lost, then the administrator should have a get-out (e.g.
single-user mode in Linux).

Well I was taking that first quote of yours in its context of getting
access to a machine for which you have lost the administrator password.
If you simply want a "get-out" (but not an easy crack) then I don't
understand your complaint in relation to the answers you were given.

And if the single user mode in Linux is an easier get-out, then everyone
else (as well as the genuine administrator) is prevented from using it
..... how? Of course it's true that any cracking method, by its nature,
is open to all. But at least if you have to "jump through hoops" it's
much less likely to be used in casual attempts.

 

[Antony Gelberg]

Well I was taking that first quote of yours in its context of getting
access to a machine for which you have lost the administrator password.
If you simply want a "get-out" (but not an easy crack) then I don't
understand your complaint in relation to the answers you were given.

My frustration is that we have a normal scenario which is made
unnecessarily difficult to get out of.

And if the single user mode in Linux is an easier get-out, then everyone
else (as well as the genuine administrator) is prevented from using it
.... how?

1) Physical access to the machine console.
2) Knowledge of how to alter boot parameters upon reboot.
3) Knowledge of password altering commands.

Of course it's true that any cracking method, by its nature,
is open to all. But at least if you have to "jump through hoops" it's
much less likely to be used in casual attempts.

I don't think that there is such a thing as a casual attempt to do this
kind of thing.

 

[dagdabrona]

Hi,

Well, you can give Active@ Password Changer a try. It it really easy to
use and very effecrive. Recommended tool!
http://www.password-changer.com/