Domain Administrator Locked Out - Please Help!!!

  • Thread starter Thread starter Mart
  • Start date Start date
M

Mart

I have a Windows 2003 Server and a Windows 2000 Server which are
domain controllers. When trying to logon on any workstation or server
on the domain as Administrator (domain) I am getting a "check
password" error. I am using the correct password, and I have also
reset the password from the Domain Controller to double check.

If I right-click on Administrator within the Users and Computers MMC
there is no option to unlock account.

As a background to what may have caused this problem, I was trying to
amend our domain policy.

We had originally amended the Default Domain Policy (not a good idea I
know now in hindsight), setting the password policy and lockout
policy. This was set to apply to users but not administrators.

I then needed to set something specifically for admins but not users,
so I created a new Administrators policy, and set this for admins but
not users.

Later in the day it was discovered our domain Administrator account
could not logon to a workstation, I panicked and started changing all
sorts of settings.

I ran a command on our 2003 server which I found on a website (cant
remember the command now) which was suppose to revert back to the
default domain settings, however I was then unable to edit the policy.
A few random clicks later I was able to edit policy, but I still do
not know how to logon as my domain Administrator account. I have
logged out of the Win 2000 server because it crashed and I could not
log back in as Administrator. I am now scared to logout of the Win
2003 server because I will not get back in! I have made a copy of the
Administrator account which at least has allowed me to login to the
Win 2000 server, but this is not the built-in administrator account.

I have not had a good day and any help would be appreciated. I will
try not to play in future!

Thanks.
 
Did you rename the administrator account? If you did then you will
have to set it back to what ever it was prior to that, or just modify
the policy to show "not configured". This is located in the GPO MMC
module under Computer Configuration, Windows Settings, Security
Settings, local policies, security options. Look for Rename
Administrator Account.

Hope this helps

Randy

On Wed, 24 Nov 2004 23:37:29 +0000 (UTC),
 
First off you can not have different password/account policy for users than
administrators. There can only be one password policy for all domain users -
no exceptions. Password policy is computer configuration which can not be
filtered by users anyhow.

If you are logged into a domain controller as an administrator use Active
Directory Users and Computers to create a new user account and add that
account to the domain admins group so that you can use it if need be to
logon to the domain as an administrator. The description of your error
sounds as is a wrong name or password is used to try and logon. When you
logon to a domain computer [other than domain controller] make sure that you
are logging onto the domain and not the local computer which may be why you
were getting an error message. If the problem persists, try logging on using
upn as in (e-mail address removed) in case you somehow changed your account
pre-Windows 2000 logon name. --- Steve
 
Thanks both for your suggestions, I will try them as soon as I get in
to work and report back.

Yes the Administrator account was renamed - this was renamed at the
time we installed our domain a few years ago and has not since
changed.

The user name and password for Administrator has not changed and I
have reset the password but still get the incorrect user name/password
error. So I think this may be a red herring.



First off you can not have different password/account policy for users than
administrators. There can only be one password policy for all domain users -
no exceptions. Password policy is computer configuration which can not be
filtered by users anyhow.

If you are logged into a domain controller as an administrator use Active
Directory Users and Computers to create a new user account and add that
account to the domain admins group so that you can use it if need be to
logon to the domain as an administrator. The description of your error
sounds as is a wrong name or password is used to try and logon. When you
logon to a domain computer [other than domain controller] make sure that you
are logging onto the domain and not the local computer which may be why you
were getting an error message. If the problem persists, try logging on using
upn as in (e-mail address removed) in case you somehow changed your account
pre-Windows 2000 logon name. --- Steve


Mart said:
I have a Windows 2003 Server and a Windows 2000 Server which are
domain controllers. When trying to logon on any workstation or server
on the domain as Administrator (domain) I am getting a "check
password" error. I am using the correct password, and I have also
reset the password from the Domain Controller to double check.

If I right-click on Administrator within the Users and Computers MMC
there is no option to unlock account.

As a background to what may have caused this problem, I was trying to
amend our domain policy.

We had originally amended the Default Domain Policy (not a good idea I
know now in hindsight), setting the password policy and lockout
policy. This was set to apply to users but not administrators.

I then needed to set something specifically for admins but not users,
so I created a new Administrators policy, and set this for admins but
not users.

Later in the day it was discovered our domain Administrator account
could not logon to a workstation, I panicked and started changing all
sorts of settings.

I ran a command on our 2003 server which I found on a website (cant
remember the command now) which was suppose to revert back to the
default domain settings, however I was then unable to edit the policy.
A few random clicks later I was able to edit policy, but I still do
not know how to logon as my domain Administrator account. I have
logged out of the Win 2000 server because it crashed and I could not
log back in as Administrator. I am now scared to logout of the Win
2003 server because I will not get back in! I have made a copy of the
Administrator account which at least has allowed me to login to the
Win 2000 server, but this is not the built-in administrator account.

I have not had a good day and any help would be appreciated. I will
try not to play in future!

Thanks.
Click to expand...
Click to expand...
 
Steve,

Just on another matter, it was not different password/account policies
I wanted but different Internet Explorer proxy settings. Therefore I
created a different policy which was set to appy to Admins. However
it may be that this policy was set with a different password/lockout
setting.

Eg - I want users to use a proxy but not admins

Thanks again
First off you can not have different password/account policy for users than
administrators. There can only be one password policy for all domain users -
no exceptions. Password policy is computer configuration which can not be
filtered by users anyhow.

If you are logged into a domain controller as an administrator use Active
Directory Users and Computers to create a new user account and add that
account to the domain admins group so that you can use it if need be to
logon to the domain as an administrator. The description of your error
sounds as is a wrong name or password is used to try and logon. When you
logon to a domain computer [other than domain controller] make sure that you
are logging onto the domain and not the local computer which may be why you
were getting an error message. If the problem persists, try logging on using
upn as in (e-mail address removed) in case you somehow changed your account
pre-Windows 2000 logon name. --- Steve


Mart said:
I have a Windows 2003 Server and a Windows 2000 Server which are
domain controllers. When trying to logon on any workstation or server
on the domain as Administrator (domain) I am getting a "check
password" error. I am using the correct password, and I have also
reset the password from the Domain Controller to double check.

If I right-click on Administrator within the Users and Computers MMC
there is no option to unlock account.

As a background to what may have caused this problem, I was trying to
amend our domain policy.

We had originally amended the Default Domain Policy (not a good idea I
know now in hindsight), setting the password policy and lockout
policy. This was set to apply to users but not administrators.

I then needed to set something specifically for admins but not users,
so I created a new Administrators policy, and set this for admins but
not users.

Later in the day it was discovered our domain Administrator account
could not logon to a workstation, I panicked and started changing all
sorts of settings.

I ran a command on our 2003 server which I found on a website (cant
remember the command now) which was suppose to revert back to the
default domain settings, however I was then unable to edit the policy.
A few random clicks later I was able to edit policy, but I still do
not know how to logon as my domain Administrator account. I have
logged out of the Win 2000 server because it crashed and I could not
log back in as Administrator. I am now scared to logout of the Win
2003 server because I will not get back in! I have made a copy of the
Administrator account which at least has allowed me to login to the
Win 2000 server, but this is not the built-in administrator account.

I have not had a good day and any help would be appreciated. I will
try not to play in future!

Thanks.
Click to expand...
Click to expand...
 
OK. Good luck. If the situation does not improve, see the link below on how
to reset the built in administrator password with a free download utility. I
have used it myself and it works well but it should be a last resort
ption. --- Steve

http://www.petri.co.il/forgot_administrator_password.htm

Mart said:
Thanks both for your suggestions, I will try them as soon as I get in
to work and report back.

Yes the Administrator account was renamed - this was renamed at the
time we installed our domain a few years ago and has not since
changed.

The user name and password for Administrator has not changed and I
have reset the password but still get the incorrect user name/password
error. So I think this may be a red herring.



First off you can not have different password/account policy for users
than
administrators. There can only be one password policy for all domain
users -
no exceptions. Password policy is computer configuration which can not be
filtered by users anyhow.

If you are logged into a domain controller as an administrator use Active
Directory Users and Computers to create a new user account and add that
account to the domain admins group so that you can use it if need be to
logon to the domain as an administrator. The description of your error
sounds as is a wrong name or password is used to try and logon. When you
logon to a domain computer [other than domain controller] make sure that
you
are logging onto the domain and not the local computer which may be why
you
were getting an error message. If the problem persists, try logging on
using
upn as in (e-mail address removed) in case you somehow changed your account
pre-Windows 2000 logon name. --- Steve


Mart said:
I have a Windows 2003 Server and a Windows 2000 Server which are
domain controllers. When trying to logon on any workstation or server
on the domain as Administrator (domain) I am getting a "check
password" error. I am using the correct password, and I have also
reset the password from the Domain Controller to double check.

If I right-click on Administrator within the Users and Computers MMC
there is no option to unlock account.

As a background to what may have caused this problem, I was trying to
amend our domain policy.

We had originally amended the Default Domain Policy (not a good idea I
know now in hindsight), setting the password policy and lockout
policy. This was set to apply to users but not administrators.

I then needed to set something specifically for admins but not users,
so I created a new Administrators policy, and set this for admins but
not users.

Later in the day it was discovered our domain Administrator account
could not logon to a workstation, I panicked and started changing all
sorts of settings.

I ran a command on our 2003 server which I found on a website (cant
remember the command now) which was suppose to revert back to the
default domain settings, however I was then unable to edit the policy.
A few random clicks later I was able to edit policy, but I still do
not know how to logon as my domain Administrator account. I have
logged out of the Win 2000 server because it crashed and I could not
log back in as Administrator. I am now scared to logout of the Win
2003 server because I will not get back in! I have made a copy of the
Administrator account which at least has allowed me to login to the
Win 2000 server, but this is not the built-in administrator account.

I have not had a good day and any help would be appreciated. I will
try not to play in future!

Thanks.
Click to expand...
Click to expand...
Click to expand...
 
Thank you both very much for your help. Although I think I may have
initially misinterpreted your responses, I think this is now resolved.
The administrator account had indeed been renamed within users and
computers, via the policy. I manually renamed this back to what it
should be, and disabled this part of the policy.

Many thanks again because without your help I dont know how I would
have solved this.

Mart.
 
Excellent, glad you got it worked out. For future reference be sure you
always make a backup of the System State on a domain controller before you
make any changes to group or security policy as you can then always do an
authoritative restore of Active Directory to set things back the way they
were. However backing up the System State will not restore "local" policy
changes which would require a full backup or Ghost type image. You would
need to know the "local" built in administrator password however to restore
Active Directory on a domain controller, so be sure you know that. The link
below explains more and how to change it in case you do not know what it
currently is.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;239803
 
Back
Top