http:// / nt-unlock.shtml

Unlocking Windows NT/2000/2003 Domain Controllers

Note: If you are trying to fix a server, please READ THIS ENTIRE PAGE and MAKE SURE YOU UNDERSTAND IT before touching the server.


I was recently tasked with "unlocking" a Windows 2000 server, where all of the following had happened:

Grrrr... do I sound just a little bit repetitive here?

It's not that people never learn, but they never even try.

I'll skip most of the war story and just give the basics.

Petter Nordahl-Hagen has written a Windows NT/2000 offline password editor. I have been using various versions of this disk for several years and have had very good results with it. Thank you, Petter!

However, the program only resets the password for the MACHINE Administrator account, not the DOMAIN Administrator account. And wouldn't you know it, on a Windows 2000 server which is an Active Directory controller, you CANNOT log into any machine-level account. Which means that resetting the MACHINE Administrator password is pretty much useless.

Or so it would seem. It turns out that "Directory Service Recovery Mode" uses the MACHINE-level accounts, since the whole point of this mode is that the AD control databases may be corrupted and you need a way to manually edit them (presumably using some high-priced third-party software package...)

I was able to reset the password on the DOMAIN Administrator account using the following procedure:

Again: If you are trying to fix a server, please READ THIS ENTIRE PAGE and MAKE SURE YOU UNDERSTAND IT before touching the server.

NOTE: If you are following these directions to try and "break into" a corporate domain which has one or more working Active Directory controllers, but YOU don't have Administrator access to the domain, you're wasting your time. The procedure detailed below will only work if you have physical access to a domain controller. It will also forcibly reset the AD Administrator password, which means that if you are somehow able to do this to a domain controller, the existing Administrator password will no longer work and the rightful administrators will know something is going on... and if they trace it back to you and fire you, or even better put you in jail, then you have gotten what you deserve.

NOTE: If you are following these directions to work on a machine which is not a domain controller, STOP RIGHT HERE. You now have access to the machine by rebooting and logging in as the machine's Administrator account (with no password.) Everything below this message is specific to domain controllers.

NOTE: If you are following these directions to work on a machine which is running Windows XP, STOP RIGHT HERE. The machine IS NOT A DOMAIN CONTROLLER. Go back and re-read the note right above this one.

NOTE: If you are following these directions to work on a machine which is running Windows 2003, STOP RIGHT HERE and follow these directions instead.

I received seven emails about this page during the first week it was up. One was from Petter Nordahl-Hagen (who wrote the recovery disc) and one was from Daniel Petri, who runs his own knowledgebase of NT/2000-related information (Daniel- nice layout, I will definitely be using your site the next time I have an NT-related client issue.) Both had nice things to say about this page, and wanted permission to link to it. Of course I said "thank you and yes" to both of them.

The other five emails were all from AOL or Juno accounts. Three were because the "MMC DSA.MSC" command didn't work for them and they were totally lost, one couldn't figure out how to work the registry editor, and one wanted me to write a program for him (for free) to automate the whole process, because these directions are "too damn confusing".

None of these messages were answered. The extra paragraph above, and this entire section at the end of the page, are my answer to all of these people (and to anybody else with similar questions.) If you send a question and it falls into the "brain-dead" category, you will not be answered either.

Please understand that I AM NOT A WINDOWS NT/2000 EXPERT. My environment of choice for servers is Linux, and for the desktop is Mac OS X. This was an isolated incident for me, I don't fix NT/2000 issues every day (although I could if I had to, I have found that in many cases I know more about NT/2000 than many people with the magic "MCSE" certificate.)

I cannot and will not answer people's emails about this page if the question shows that you're lost without a mouse, ESPECIALLY if your email address ends with "", "", "", "", "", or any of the other free lamer email account providers out there.

If you use a PC and you don't even know how to work a command prompt, find somebody who does, and have them follow the directions on this page. If that's not an option because a client is watching, then let's be honest: You are over your head, and your client would be better served by hiring a real computer professional (or maybe your client would be able to understand and follow these directions, and they don't need you.)

My feeling about this subject is the same as my feeling about all of the little high school kids and trailer-park moms out there who get a copy of FrontPage and call themselves a "web design company"- you're taking business away from the real web designers and the real system and network administrators out there. Real computer professionals have enough brains not to marry themselves to Microsoft (or ANY one platform.)

Or to make it simpler...

If you don't understand the directions on this page, you have no business working on the machine.

If this sounds a little crass... it's meant to. I have spent the last ten years doing tech support, system administration, and network administration, dealing with computer users who had no business owning a computer, and I'm burned out on it. I've dealt with everything from people who literally thought their CD-ROM drive was a holder for a coffee cup (yes, they really exist, if you're curious you can find them in Lake County, Florida, USA) to one guy who runs a gift shop in a tourist resort, who knows nothing about how to configure his own e-mail program, but had the nerve to try and lecture me on "internet standards" and how the software on my mail servers was wrong.

If you don't like my comments, write your own web page without them and YOU answer brain-dead questions from AOL users all day long. I have better things to do with my life.

The standard exception applies- if you are willing to pay my hourly rate, I will be more than happy to fix your server, or hold your hand and teach you how to work your computer, or whatever else (computer-related) you may need or want done. If so, I am located in Orlando, Florida, USA, and can be reached at the email address below.

Another point... DON'T TRUST THESE DIRECTIONS. You don't know me, and for all you know these directions may break your system. Read them, and make sure you understand them before you ever touch the "broken" machine. If you break your machine (or a client's machine), that's YOUR problem- NOT MINE. If you don't agree with this policy, then don't use these directions.

Other Notes

The previous version of this page had a collection of random ranting and raving about the level of stupidity which seems to manifest itself in the world, especially amongst AOL and hotmail users who read this page. I've removed most of it (it sounded really repetitive anyway) but have left the following information.

Сайт создан в системе uCoz