HOW TO: Reset your Lost 2003 Active Directory Admin Password

Advertisement

AskTheAdmin is back again with another “how to” for the GAS readers. Today’s tutorial will be covering a technique that will allow you to reset your lost 2003 Active Directory Administrator Password.

Don’t worry, it happens to the best of us and you are not alone. I have never had this happen to me in a production environment but it did a few times in test domains.

This article assumes that you forgot the AD admin password, someone changed it on you, or you are recovering from an attack.

This is not meant as a how to hack your company’s Active Directory – nope, not in any way, shape, or form. In case you decide to use this tutorial for nefarious purposes, we can not be held liable for your stupidity. With that said let’s move on.

If you are trying to recover a local admin password from Windows XP, Vista, 2000, or NT, please refer to last week’s article on how to reset you local admin password.

If you are still reading this then you need to regain access to your Active Directory administrator account.

To do this you will need the following:

  • Physical access to the domain controller that you are locked out of.
  • Your local administrator’s password. (If you do not have this one as well, you can use the tool we wrote about last week to recover non-AD admin accounts).
  • You will need Internet access to download two files from Microsoft’s resource kit unless you have them on CD. I found them online here: They are called SRVANY and INSTSRV.
  • You will also need to be able to reboot the Domain Controller and have it offline while you do your magic. Note: This means users that log-on to this domain controller will not be able to authenticate while it is down.
  • And of course you need to be comfortable with the command line and modifying your registry.

Aright then, let’s get cracking! (no pun intended!)

1. Restart Windows 2003.

2. Boot into Directory Restore Service Mode.

Note: When the box restarts, you need to hit F8 (just like you do when you want to access safe-mode) and then choose Directory Restore Service Mode from the menu. This option disables your Active Directory but gives you full access to the box.

FixPass2

3. It will take a few moments for your login prompt to appear. When you see it, you will need to log on to this machine as the Local Administrator aka Directory Restoration Admin.

You are now in. You have full access to the system sans active directory. You can start and stop services, access files, change local accounts and shares, but we still cannot touch the AD domain password. Close but no cigar.

We need to install SRVANY, the link to download it is above. This Microsoft app turns any executable into an NT Service. Not just any service either, a service that runs in the system context. Any service created with SRVANY will have full system access. In case you don’t know, a service on a NT machine allows an application to be run automatically by the system without user intervention, like IIS or DHCP.

With that kind of system access, you can change the domain admin’s password without a problem. So now, how are we going to use this information to get a service in the system context that will change our active directory administrator’s password?

Keep reading!

Here is the trick: We are going to use the SRVANY application to make windows run a command prompt in the system context.

Do you see where I am going with this yet?

We have to copy SRVANY and INSTSRV to a folder containing CMD.exe. For this instance I created c:\recovery. Now in my c:\recovery directory I have three files. They are srvany, instsrv and cmd.exe.

FixPass3

Note: If you are having problems finding cmd.exe, it lives in your system32 directory.

Open a command prompt by going to start, run, type “cmd” in the field, and press ok. Navigate to the folder containing srvany, instsrv and cmd.exe. Then type:

instsrv.exe FixPass “c:\recovery\srvany.exe”

This creates a service called FixPass that runs via the srvany.exe application. Remember srvany can run any exe as a service.

FixPass4

Now we need need to setup srvany to do our bidding. For this step we need to modify the registry.

Start regedit, and open this key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FixPass.

FixPass5

Create a new sub-key under FixPass called Parameters and add two new values:

Name: Application
Type: REG_SZ (string)
Value: c:\recovery\cmd.exe

Name: AppParameters
Type: REG_SZ (string)
value: /k net user administrator new_domain_pw

The first entry tells FixPass to run cmd.exe. The second gives it its parameters aka our password changing command.

‘net user username password’ is how we use the command line utility to set a new password.

FixPass6

Replace new_domain_pw with the password you want your Active Directory Administrator to have.

Now let’s open our services console by going to:

Start –> Run and type:

services.msc

Hit enter. Now find and open the FixPass service property tab. You do this by right clicking on the service and choosing properties.

FixPass7

Change the service’s startup mode to Automatic.

FixPass8

This next step is very important. Click on the Log On tab of the FixPass services properties and enable the option to “Allow this service to interact with desktop”. Without this your password change will fail.

FixPass9

The plan is in place. Let’s review. We have SRVANY, INSSRV and cmd.exe in a folder. We set the registry to have srvany run a command prompt that will execute our change pw command. We set the service to run automatically and allow it to interact with the desktop. Now on startup the system will run the netuser command and reset the domain admin password.

The hard work is done. Let’s see if we succeeded. We need to reboot Windows into normal mode and wait for the login screen. After the prompt appears, wait 60 seconds. It can take a shorter time but let’s just wait to be sure.

FixPass10

You can use this time to reflect on how you let this happen and how it won’t ever happen again.

Ha!

Our command ran in the background and your password should now be changed. Log in using the new password we set way back in the procedure. If all went well you should be logging in as we speak.

Now you are the domain admin again – feels good right?

Now after your successful logon, when the desktop comes up you will have a command window open. This is the same command window that executed your script. We will now delete our service and undo our mods so that it doesn’t change your password on every reboot.

Ah… Forgot about that didn’t ya?

Type these commands in this order:

net stop FixPass

sc delete FixPass

FixPass11

The first one stops the FixPass service and the second one removes it.

Remove the folder you stored your files in (I used c:\recovery) and that’s it. Change your password to something you will remember. No really something you will remember in the future so you don’t have to go through this again!

About the author: Karl Gechlik is a Microsoft certified administrator that spends his time solving complex technology issues during the day and at night enjoys his beautiful wife and wonderful 16 month old daughter. Karl writes for many online sites including http://www.askTheAdmin.com , come stop by and tell him GAS sent you!





Advertisement



65 Responses to HOW TO: Reset your Lost 2003 Active Directory Admin Password

  1. If the purpose of all of that was just to launch a command prompt as the System account, you can use psexec (from sysinternals), or AT (with a time in the future), to launch cmd.exe as system.

    • But you need to do it on start up in normal mode. How would you use PSExec or AT to do this? You would still have to boot into Directory Restore Mode and setup a way for your script to be launched before login.

      If you have a way I would love to hear it Michael! Thanks for stopping by.

    • That does not work michael, you have to get in the system 1st in directory restore mode and make the script launch as a service BEFORE the next normal login appears in order to make the password reset possible.

  2. If the purpose of all of that was just to launch a command prompt as the System account, you can use psexec (from sysinternals), or AT (with a time in the future), to launch cmd.exe as system.

    • But you need to do it on start up in normal mode. How would you use PSExec or AT to do this? You would still have to boot into Directory Restore Mode and setup a way for your script to be launched before login.

      If you have a way I would love to hear it Michael! Thanks for stopping by.

    • That does not work michael, you have to get in the system 1st in directory restore mode and make the script launch as a service BEFORE the next normal login appears in order to make the password reset possible.

  3. Friggin' Awesome! I have a buddy that reconditions storage arrays for a living. You have just made his job much easier.

  4. Friggin’ Awesome! I have a buddy that reconditions storage arrays for a living. You have just made his job much easier.

  5. Hi mate,

    It's working fine now.

    Thank You very Much

    Ansari

    IT ANALYST

    RSH MIDDLE EAST ,

    UAE

  6. Hi mate,
    It’s working fine now.

    Thank You very Much

    Ansari
    IT ANALYST
    RSH MIDDLE EAST ,
    UAE

  7. I tried this and it only reset the local admin password, and not the domain admin pwd. How does it know which one you want to reset?

    I now believe that the former admin here disabled the AD administrator account. Am I stuck trying to figure out who's account may have domain admin privileges on the AD domain and try this process with resetting?

  8. I tried this and it only reset the local admin password, and not the domain admin pwd. How does it know which one you want to reset?

    I now believe that the former admin here disabled the AD administrator account. Am I stuck trying to figure out who’s account may have domain admin privileges on the AD domain and try this process with resetting?

  9. I actually used the exact process as described above…however, my situation was a little different.

    The above process will not work if the AD administrator account has been disabled or renamed apparently….As my luck would have it ….mine was BOTH!

    I ended up using the NT offline pwd tool, reset the LOCAL admin pwd to blank (several tries of trying to set it to an actual pwd were unsuccessful). After doing this, I rebooted, did F8, went into DSR mode and looked at account profiles for users under "C:Documents and Settings". I was hoping that one of the several profiles that existed under there had Domain Admins rights. But nothing I tried worked until I tried changing the "AppParameters" value in the above process for each of the "users" I found that had a profile under "Documents and Settings" on the DC. One of them luckily happened to be the "Administrator" account that was renamed to another actual employee's username…but this username was also disabled…so the final "AppParameters" value that worked for me was:

    /k net user username P@ssw0rd /active:yes /domain

    I don't know if the /domain switch was needed at the final point of me finding a valid domain admin account on the domain, but my first several attempts without using the /domain switch caused the process to reset the LOCAL administrator's account, probably because it was the only "administrator" account it could find (since the AD one was renamed/disabled).

    Anyhow, I hope this added info helps anyone who may fall into a similar situation.

    I'd also like to thank you for the quick response to my original comment! Sorry I didn't get back sooner, but this issue became a personal battle for me and I was busy wrestling with it! ;)

  10. I actually used the exact process as described above…however, my situation was a little different.

    The above process will not work if the AD administrator account has been disabled or renamed apparently….As my luck would have it ….mine was BOTH!

    I ended up using the NT offline pwd tool, reset the LOCAL admin pwd to blank (several tries of trying to set it to an actual pwd were unsuccessful). After doing this, I rebooted, did F8, went into DSR mode and looked at account profiles for users under “C:Documents and Settings”. I was hoping that one of the several profiles that existed under there had Domain Admins rights. But nothing I tried worked until I tried changing the “AppParameters” value in the above process for each of the “users” I found that had a profile under “Documents and Settings” on the DC. One of them luckily happened to be the “Administrator” account that was renamed to another actual employee’s username…but this username was also disabled…so the final “AppParameters” value that worked for me was:

    /k net user username P@ssw0rd /active:yes /domain

    I don’t know if the /domain switch was needed at the final point of me finding a valid domain admin account on the domain, but my first several attempts without using the /domain switch caused the process to reset the LOCAL administrator’s account, probably because it was the only “administrator” account it could find (since the AD one was renamed/disabled).

    Anyhow, I hope this added info helps anyone who may fall into a similar situation.

    I’d also like to thank you for the quick response to my original comment! Sorry I didn’t get back sooner, but this issue became a personal battle for me and I was busy wrestling with it! ;)

  11. I have used this there is a website petri in which this has been scripted and is just a case of selecting yes or no, got me out of of a hole lot of bother

  12. I have used this there is a website petri in which this has been scripted and is just a case of selecting yes or no, got me out of of a hole lot of bother

  13. I have used this there is a website petri in which this has been scripted and is just a case of selecting yes or no, got me out of of a hole lot of bother

  14. Many thanks for the information above, it came in VERY useful over the last few days when the whole of the AD was in dis-repair after the administrator password had been changed.

    It leads me to another question.. what are the steps for successfully changing the administrator password (am now worried that someone may know the existing admin password so malicious changes could still be made). If I change the password, will this stop services running which run as administrator (such as Exchange, BackupExec, etc)?

    Much appreciated.

  15. Many thanks for the information above, it came in VERY useful over the last few days when the whole of the AD was in dis-repair after the administrator password had been changed.

    It leads me to another question.. what are the steps for successfully changing the administrator password (am now worried that someone may know the existing admin password so malicious changes could still be made). If I change the password, will this stop services running which run as administrator (such as Exchange, BackupExec, etc)?

    Much appreciated.

  16. This basically is if you already have access to the system. My problem is that my DC hard disk was failing and kept rebooting – just would not boot in W2K3 environment (safe mode or other)

    The drive was imaged however it came up with an the error: LSASS.EXE – System Error, security accounts manager initialization failed because of the following error: Directory Services cannot start. Error status 0xc00002e1.

    Please click OK to shutdown this system and reboot into directory services restore mode, check the event log for more detailed information.

    Unfortunately I am unable to remember that password. This is the first of two DCs on my network. What can I do to gain access to this unit. (PS its also my catalog unit)

  17. This basically is if you already have access to the system. My problem is that my DC hard disk was failing and kept rebooting – just would not boot in W2K3 environment (safe mode or other)

    The drive was imaged however it came up with an the error: LSASS.EXE – System Error, security accounts manager initialization failed because of the following error: Directory Services cannot start. Error status 0xc00002e1.

    Please click OK to shutdown this system and reboot into directory services restore mode, check the event log for more detailed information.

    Unfortunately I am unable to remember that password. This is the first of two DCs on my network. What can I do to gain access to this unit. (PS its also my catalog unit)

  18. Thanks a lot. It works…

    Juz need to amend “AppParameters” value.

    To reset the LOCAL administrator’s account:

    /k net user username P@ssw0rd

    To reset AD administrator account

    /k net user username P@ssw0rd /domain

  19. Thanks a lot. It works…

    Juz need to amend “AppParameters” value.
    To reset the LOCAL administrator’s account:
    /k net user username P@ssw0rd
    To reset AD administrator account
    /k net user username P@ssw0rd /domain

  20. what services pack did you use? I use SP2.

    Seems not to work. Any chance to change profiles to log in locally with a different account name?

  21. what services pack did you use? I use SP2.
    Seems not to work. Any chance to change profiles to log in locally with a different account name?

  22. thanks Karl, I tried it and it doesn’t work.. 2 questions..

    1) To get into DSRM mode.. you need the Directory Restore Admin password setup during dcpromo.. this can be different from the Local Admin Account password.. How does knowing the Local Admin password help..?

    2) this system has killed all my passwords and I can’t get in at all..

    Any help would be greatly appreciated..

    Many thanks

    Mat

  23. thanks Karl, I tried it and it doesn't work.. 2 questions..

    1) To get into DSRM mode.. you need the Directory Restore Admin password setup during dcpromo.. this can be different from the Local Admin Account password.. How does knowing the Local Admin password help..?

    2) this system has killed all my passwords and I can't get in at all..

    Any help would be greatly appreciated..

    Many thanks

    Mat

  24. I would like to use the third-party software such as "Windows Password Reset Kit 1.5" to reset domain admin password. It is quite easier.

  25. Very useful way to reset Active Directory password manually. It can get even easier by using the third-party program, such as AD Password Reset 1.7.

  26. I have been attempting to use this method for a few days, but it only seems to reset the password when I log into safe mode which is encouraging, but not effective for logging into full mode.  When I log into full mode the password reset doesn’t seem to take effect.  I will  try to add the /domain in AppParameters to see if it lets me into the full windows mode.   I am assuming /domain stands for the local domain used on the computer.   Anyway I will let you know if I have any breakthrough.

  27. I realize a safe method to remove the password and it need no

    reinstalling Windows. The program is called Windows Password

    Seeker which has been recommended at about.com. You can Google

    Windows Password Seeker or download it from passwordseeker.com.

    It can reset almost all Windows passwords in seconds. It also

    compatible with windows 7.

  28. spot on job, i didnt forget my admin logon – its a test rig at work and some genius decided to change the password while i was at lunch (Yeah i know i should have locked the screen) i will from now on.

    Saved me from creating a new domain whacking exchange on it all the boring stuff :-)