Note: If you are trying to fix a server, please READ THIS ENTIRE PAGE and MAKE SURE YOU UNDERSTAND IT before touching the server.
THE DIRECTIONS ON THIS PAGE ARE NOT FOR WINDOWS XP.
I was recently tasked with "unlocking" a Windows 2000 server, where all of the following had happened:
Grrrr... do I sound just a little bit repetitive here?
It's not that people never learn, but they never even try.
I'll skip most of the war story and just give the basics.
Petter Nordahl-Hagen has written a Windows NT/2000 offline password editor. I have been using various versions of this disk for several years and have had very good results with it. Thank you, Petter!
However, the program only resets the password for the MACHINE Administrator account, not the DOMAIN Administrator account. And wouldn't you know it, on a Windows 2000 server which is an Active Directory controller, you CANNOT log into any machine-level account. Which means that resetting the MACHINE Administrator password is pretty much useless.
Or so it would seem. It turns out that "Directory Service Recovery Mode" uses the MACHINE-level accounts, since the whole point of this mode is that the AD control databases may be corrupted and you need a way to manually edit them (presumably using some high-priced third-party software package...)
I was able to reset the password on the DOMAIN Administrator account using the following procedure:
Again: If you are trying to fix a server, please READ THIS ENTIRE PAGE and MAKE SURE YOU UNDERSTAND IT before touching the server.
NOTE: If you are following these directions to try and "break into" a corporate domain which has one or more working Active Directory controllers, but YOU don't have Administrator access to the domain, you're wasting your time. The procedure detailed below will only work if you have physical access to a domain controller. It will also forcibly reset the AD Administrator password, which means that if you are somehow able to do this to a domain controller, the existing Administrator password will no longer work and the rightful administrators will know something is going on... and if they trace it back to you and fire you, or even better put you in jail, then you have gotten what you deserve.
Use Petter's disk to reset the MACHINE Administrator password to "no password".
NOTE: If you are following these directions to work on a machine which is not a domain controller, STOP RIGHT HERE. You now have access to the machine by rebooting and logging in as the machine's Administrator account (with no password.) Everything below this message is specific to domain controllers.
NOTE: If you are following these directions to work on a machine which is running Windows XP, STOP RIGHT HERE. The machine IS NOT A DOMAIN CONTROLLER. Go back and re-read the note right above this one.
NOTE: If you are following these directions to work on a machine which is running Windows 2003, STOP RIGHT HERE and follow these directions instead.
Reboot, hit F8, and enter "Directory Service Recovery Mode". The machine will boot up as a standalone server without any Active Directory support.
When the login screen appears, hit CTRL-ALT-DEL and log in as "Administrator" with no password. This is the MACHINE Administrator account, and does not have the ability to modify anything specific involving the Active Directory information, although it can backup and restore the physical files which contain the AD databases.
Run "regedit". Navigate to
HKEY_USERS\.Default\Control Panel\Desktop
and change the following values:
Value | Original | Change to |
SCRNSAVE.EXE |
logon.scr |
cmd.exe |
ScreenSaveTimeout |
900 |
15 |
ScreenSaveActive |
May be 0 or 1 | 1 |
Reboot normally. When the box appears asking you to hit CTRL-ALT-DEL to log in, just wait. After 15-30 seconds you will see a command prompt appear (since that is the screensaver.)
I have received an email from somebody which simplifies the process... I can't verify this myself (because I don't use Windows) but the method makes sense. Apparently, once you get the command prompt you can type this one command to reset the password:
C:\WINNT\system32> NET USER ADMINISTRATOR newpassword
Once you enter this command, you should be able to exit from the command prompt, hit CTRL-ALT-DELETE, and log into the domain Administrator account using the new password. Again, without a Windows server I have no way to verify that this does or does not work, so I would appreciate any feedback from people who have tried this and can tell me that it does or does not work with their particular version of Windows.
In the command prompt, type the following command:
C:\WINNT\system32> MMC DSA.MSC
This should bring up the management console where you can edit users' passwords, including the password for the Administrator account. If you type this command and it doesn't work, wait 30 seconds and try it again. This happened to me, it sounded like it was still in the process of loading drivers into memory in the background...
If this doesn't work after waiting the 30 seconds... realize that THIS IS A COMMAND PROMPT WITH FULL DOMAIN ADMINISTRATOR RIGHTS, and you're running a command ("MMC.EXE") with another filename ("DSA.MSC") as an argument. If it "just plain doesn't work", maybe you need to locate these two files and type them in as full path names. Maybe something like "C:\WINNT\SYSTEM32\MMC.EXE C:\WINNT\SYSTEM32\DSA.MSC".
If you know absolutely nothing about how to use a command line, then reboot into DSR Mode, log in as Administrator, and use the graphical "Find Files" thingy to find the files, and write down their locations. Then try it again (reboot and wait for the command line, etc.)
A website visitor named "Joe Schmoe" emailed me to let me know that if somebody is absolutely, totally lost at this point, they should be able to type the word EXPLORER and hit ENTER, to get a full deskop with Administrator rights. From there, they should be able to find the right program on the start menu- usually Start, Programs, Administrative Tools, Active Directory Users and Computers. Thanks, Joe!
After resetting the Administrator password, exit the management
console and type the command EXIT
in the command prompt
window.
Hit CTRL-ALT-DEL and log into the DOMAIN Administrator account using the new password.
Don't forget to undo the changes you made to the registry, or you will always have a command prompt with Domain Administrator rights appear whenever somebody logs out.
I received seven emails about this page during the first week it was up. One was from Petter Nordahl-Hagen (who wrote the recovery disc) and one was from Daniel Petri, who runs his own knowledgebase of NT/2000-related information (Daniel- nice layout, I will definitely be using your site the next time I have an NT-related client issue.) Both had nice things to say about this page, and wanted permission to link to it. Of course I said "thank you and yes" to both of them.
The other five emails were all from AOL or Juno accounts. Three were because the "MMC DSA.MSC" command didn't work for them and they were totally lost, one couldn't figure out how to work the registry editor, and one wanted me to write a program for him (for free) to automate the whole process, because these directions are "too damn confusing".
None of these messages were answered. The extra paragraph above, and this entire section at the end of the page, are my answer to all of these people (and to anybody else with similar questions.) If you send a question and it falls into the "brain-dead" category, you will not be answered either.
Please understand that I AM NOT A WINDOWS NT/2000 EXPERT. My environment of choice for servers is Linux, and for the desktop is Mac OS X. This was an isolated incident for me, I don't fix NT/2000 issues every day (although I could if I had to, I have found that in many cases I know more about NT/2000 than many people with the magic "MCSE" certificate.)
I cannot and will not answer people's emails about this page if the question shows that you're lost without a mouse, ESPECIALLY if your email address ends with "@aol.com", "@juno.com", "@hotmail.com", "@msn.com", "@yahoo.com", or any of the other free lamer email account providers out there.
If you use a PC and you don't even know how to work a command prompt, find somebody who does, and have them follow the directions on this page. If that's not an option because a client is watching, then let's be honest: You are over your head, and your client would be better served by hiring a real computer professional (or maybe your client would be able to understand and follow these directions, and they don't need you.)
My feeling about this subject is the same as my feeling about all of the little high school kids and trailer-park moms out there who get a copy of FrontPage and call themselves a "web design company"- you're taking business away from the real web designers and the real system and network administrators out there. Real computer professionals have enough brains not to marry themselves to Microsoft (or ANY one platform.)
Or to make it simpler...
If you don't understand the directions on this page, you have no business working on the machine.
If this sounds a little crass... it's meant to. I have spent the last ten years doing tech support, system administration, and network administration, dealing with computer users who had no business owning a computer, and I'm burned out on it. I've dealt with everything from people who literally thought their CD-ROM drive was a holder for a coffee cup (yes, they really exist, if you're curious you can find them in Lake County, Florida, USA) to one guy who runs a gift shop in a tourist resort, who knows nothing about how to configure his own e-mail program, but had the nerve to try and lecture me on "internet standards" and how the software on my mail servers was wrong.
If you don't like my comments, write your own web page without them and YOU answer brain-dead questions from AOL users all day long. I have better things to do with my life.
The standard exception applies- if you are willing to pay my hourly rate, I will be more than happy to fix your server, or hold your hand and teach you how to work your computer, or whatever else (computer-related) you may need or want done. If so, I am located in Orlando, Florida, USA, and can be reached at the email address below.
Another point... DON'T TRUST THESE DIRECTIONS. You don't know me, and for all you know these directions may break your system. Read them, and make sure you understand them before you ever touch the "broken" machine. If you break your machine (or a client's machine), that's YOUR problem- NOT MINE. If you don't agree with this policy, then don't use these directions.
The previous version of this page had a collection of random ranting and raving about the level of stupidity which seems to manifest itself in the world, especially amongst AOL and hotmail users who read this page. I've removed most of it (it sounded really repetitive anyway) but have left the following information.
My name is JOHN, not JIM. If you're going to email me, at least get my name right.
2003-04-13: Today I received an email from a HOTMAIL address which had NOTHING to do with the information on this page (which normally means they get ignored) but offered to pay me "if they could afford it" (which earns them an honorable mention here.)
From this person's email it sounds like they're trying to break into somebody else's machine (a spouse, child, co-worker, whatever), look through the files, and get out... without the machine's owner knowing.
The whole purpose of Petter's disk is to RESET PASSWORDS. If this person were to use Petter's disk on this machine, the owner would know that something was going on when all of the sudden their password didn't work any more...
Petter's disk is not a "spy tool", and a "non-techie like [your]self" is probably not going to be able to do this on your own. You should find a real computer professional, and THEY will have several options:
Knoppix is a version of Linux which boots from the CD-ROM drive and runs from a RAM disk, without being "installed" on the machine at all. It includes almost 2GB of software on the CD, and gives you the ability to look at existing partitions in READ-ONLY mode (i.e. you won't accidentally destroy something unless you manually mount something READ-WRITE, and you have to know ahead of time how to do that.)
Other similar tools exist- the only other one that comes immediately to mind is Forensic and Incident Recovery Enivronment (FIRE), which is geared more for security investigators and "hardcore geeks".
Remove the machine's hard drive, mount it as a secondary drive in another machine with the same operating system, and read what you want that way. Note that if that operating system is made by Microsoft, it will leave markers that the drive was mounted elsewhere, and it may even make the drive un-bootable.
The infamous "letter to Microsoft".
Dear Microsoft,
I know you mean well with your ideas about the "system recovery disk", and while it's not a BAD idea, it's not implemented correctly.
Please remember that many of your users have almost no computer knowledge, and don't know the first thing about security. Most users don't even THINK about a "system recovery disk" until AFTER they need it.
For example, they come into the office one Monday morning and find that somebody has hacked into their server through an open PCAnywhere connection on the boss's secretary's PC, which has domain admin rights because that's easier than the boss having to call the IT people when he forgets his password three times a week. Not only did they change the domain administrator password, but they disabled a bunch of services, modified the web site to say "J3R 53CUR1TY 5UX, 700-L337 H4X0RZ 0WNZ J00", and deleted a bunch of files at random.
So my suggestion is that you implement one, or both, of the following two options:
Make the Windows SETUP procedure FORCE the user to create the "system recovery disk". Showing one reminder window in the face of a stream of a hundred details just doesn't cut it.
Make it possible for somebody who has physical access to the server to manually reset the domain administrator password, without having to resort to hacking the keys on the AD security repository and brute-force the administrator password (which seems to be the only option left, and while I don't know enough about encryption to write such a program, I'm sure somebody out there does.)
And then EDUCATE people about the fact that a server shouldn't be physically placed where the wrong people can get to it, and that in this case "the wrong people" doesn't mean just hackers- it means ANYBODY who's not on the IT staff, or who isn't the owner of the company. I'm sure you don't trust your own servers well enough to leave them outside of a physically secured area, why not encourage your users to do the same thing?
Otherwise you are making it not only possible, but highly probable, that most machine owners are going to be totally LOST when something like this happens to them- and what kind of service is that to your customers?
Oh, yeah- it's not a service that you can make money off of. Never mind, I forgot who I was dealing with for a minute there...
Apparently somebody at Microsoft has read this letter, because apparently Windows 2003 was changed mid-stream to prevent the prevent the procedure detailed above from working. Figures.
If you're working on a Windows XP machine, the instructions on this web page will not help you. Don't ask, you WILL be ignored. (Yes, I know the page already says this twice... but some people just don't seem to "get it".
If you're having a problem with Petter's disk, email Petter. Not me. I didn't write it, and unless you're willing to pay for my time to find and fix whatever problem you may be having, I can't help you with it. You will find his email address on his web site (and while you're there, I suggest reading the directions again and following them, step by step, instead of assuming that you already know how his disc works.)
Most people who have trouble with these instructions, or with Petter's disk, have trouble because they don't know what they're doing in the first place. The point of this web page is not to make people email me asking for free help with every single problem that Windows throws at them, the point is to tell people who understand how to work a computer about ONE SPECIFIC PROCEDURE which happened to work for me.
My experience with Microsoft Windows has led me to believe that Microsoft Windows is built on a fundamentally bad design. The Windows NT product was originally designed to act as a file/print server for a small office, NOT to be a web server, an email server, a firewall, or any of the other things people seem to have added into it. Microsoft was NOT thinking of real security when they designed it, and they designed it in such a way that it cannot easily be updated without breaking other things (how many patches have they released which broke other things?)
Again, this is MY OPINION, based on my own experience over the past ten years. If you don't agree with it, that's fine... you are entitled to your own opinion. I'm not trying to force my views on anybody- if you don't like my "pro-Linux slant", don't ask me to help you for free.
2004-02-29 I received an email today from somebody who gave me a link to the page http://www.nobodix.org/seb/win2003_adminpass.html, which contains a walk-through of how to reset the domain administrator password for a Windows 2003 domain controller. I don't have a machine to test it on, but the method seems to make sense and may even work on a Windows 2000 machine, but it requires two extra programs that don't normally come with Windows NT/2000/2003. Congratulations are in order for Sebastien Francois, who figured out the method and wrote the web page.