From: "joe" <[EMAIL PROTECTED]>
Reply-To: [email protected]
To: <[email protected]>
Subject: RE: [ActiveDir] Reset Domain Admin Password in Windows Server 2003
AD
Date: Fri, 4 Nov 2005 13:25:31 -0500
It falls back to the idea of should people post information that can be
used
to compromise someone else's machine. These mechanisms are all fine an
dandy
if you are trying to break into your own system, but normally, it is to
break into someone else's system. It is hopefully a rare case where an
admin
is so light between the ears that they forget their admin passwords. Hell I
get touchy with admins who lock themselves out even. Admins are supposed to
be accomplished and careful.
Anyway, it is usually bad taste to post a mechanism to crack into a system
that can't be countered. If everyone simply posted what they knew about
cracking systems there would be a lot of people in a very bad ways as that
info got around to folks who like to take advantage of stuff. Those people
aren't usually the ones bright enough to find all of the exploits in the
first place, they use what is published. Imagine viruses/worms that target
domains and forests instead of workstations. How many people truly have
their environment secured in such a way that they would be relatively safe.
If not in that group how many people have their environment monitored in
such a way that they would catch bad things very quickly (though quick is
relative, I have written POC tools that can take out your forest in less
than a couple of seconds barring too much network latency). If not in those
groups, how many people have their environment so they could quickly put it
back together. Say a massive forest attacking worm/virus breaks out, it
takes down say a State of Michigan or Department of Homeland Security...
How
much impact does that have? What if it reaches Code Red proportions?
joe
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Friday, November 04, 2005 1:04 PM
To: [email protected]
Subject: RE: [ActiveDir] Reset Domain Admin Password in Windows Server 2003
AD
Why not?
Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Brian Desmond
Sent: Friday, November 04, 2005 9:48 AM
To: [email protected]
Subject: RE: [ActiveDir] Reset Domain Admin Password in Windows Server 2003
AD
He shouldn't have posted that.
Thanks,
Brian Desmond
<mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]
c - 312.731.3132
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Friday, November 04, 2005 12:28 PM
To: [email protected]
Cc: [EMAIL PROTECTED]
Subject: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD
Has any one ever tried this?
Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL
Forgot the Administrator's Password? - Reset Domain Admin Password in
Windows Server 2003 AD.
Featured Product:
Windows XP/2000/NT Key - Easy to use utility to reset Windows 2003/XP/2K/NT
local and domain controller administrator passwords. Download FREE version
<http://ref.lostpassword.com/windows-xp-2000-nt.htm?998001> now!
Note: In order to successfully use this trick you must first use one of the
password resetting tools available on the Forgot
<http://www.petri.co.il/forgot_administrator_password.htm> the
Administrator's Password? page.
The reason for that is that you need to have the local administrator's
password in order to perform the following tip, and if you don't have it,
then the only method of resetting it is by using the above tool.
Read more about that on the Forgot
<http://www.petri.co.il/forgot_administrator_password.htm> the
Administrator's Password? page.
Update: You can also discuss these topics on the dedicated Forgot Admin
Password - Related Discussions
<http://www.petri.co.il/forums/viewforum.php?f=25> forum.
Lamer note: This procedure is NOT designed for Windows XP since Windows XP
is NOT a domain controller. Also, for a Windows 2000 version of this
article
you should read the Forgot
<http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm>
the Administrator's Password? - Change Domain Admin Password in Windows
2000
AD page.
Reader Sebastien Francois added his own personal note regarding the
changing
of Domain Admin passwords on Windows Server 2003 Active Directory domains
(HERE <http://www.nobodix.org/seb/win2003_adminpass.html> ). I will quote
parts of it (thanks Seb!):
Requirements
1. Local access to the Domain Controller (DC).
2. The Local Administrator password.
3. Two tools provided by Microsoft in their Resource Kit: SRVANY and
INSTSRV. Download them from HERE
<http://www.petri.co.il/software/srvany.zip> (24kb).
Step 1
Restart Windows 2003 in Directory Service Restore Mode.
Note: At startup, press F8 and choose Directory Service Restore Mode. It
disables Active Directory.
When the login screen appears, log on as Local Administrator. You now have
full access to the computer resources, but you cannot make any changes to
Active Directory.
<http://www.petri.co.il/images/ss1.jpg>
Step 2
You are now going to install SRVANY. This utility can virtually run any
programs as a service. The interesting point is that the program will have
SYSTEM privileges (LSA) (as it inherits the SRVANY security descriptor),
i.e. it will have full access on the system. That is more than enough to
reset a Domain Admin password. You will configure SRVANY to start the
command prompt (which will run the 'net user' command).
Copy SRVANY and INSTSRV to a temporary folder, mine is called D:\temp. Copy
cmd.exe to this folder too (cmd.exe is the command prompt, usually located
at %WINDIR%\System32).
Start a command prompt, point to d:\temp (or whatever you call it), and
type:
<span style='font-size:10.0pt;font-family:Verdana'>instsrv PassRecovery
"d:\temp\srvany.exe"</span>
(change the path to suit your own).
It is now time to configure SRVANY.
Start Regedit, and navigate to
<span style='font-size:10.0pt;font-family:
Verdana'>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PassRecovery</
span>
Create a new subkey called Parameters and add two new values:
<span style='font-size:10.0pt;font-family: Verdana'>name: Application type:
REG_SZ (string) value: d:\temp\cmd.exe name: AppParameters type: REG_SZ
(string) value: /k net user administrator 123456 /domain<br>
Replace 123456 with the password you want. Keep in my mind that the default
domain policy require complex passwords (including digits, respecting a
minimal length etc) so unless you've changed the default domain policy use
a
complex password such as [EMAIL PROTECTED]
Now open the Services applet (Control Panel\Administrative Tools\Services)
and open the PassRecovery property tab. Check the starting mode is set to
Automatic.
<http://www.petri.co.il/images/ss5.jpg>
Go to the Log On tab and enable the option Allow service to interact with
the desktop.
Restart Windows normally, SRVANY will run the NET USER command and reset
the
domain admin password.
Step 3
Log on with the Administrator's account and the password you've set in step
#2.
Use this command prompt to uninstall SRVANY (do not forget to do it!) by
typing:
<span style='font-size:10.0pt;font-family: Verdana'>net stop PassRecovery
sc
delete PassRecovery</span>
Now delete d:\temp and change the admin password if you fancy.
Done!
Supplement
Robert Strom has written a cool script that will completely automate this
process. He wrote:
"My script is really just an automation of his process which performs all
the post cleanup of itself. Launch one script and it's all done. No manual
registry entries, the service is created, the service settings are all
imported into the registry, etc."
Download it from HERE <http://www.petri.co.il/software/dc_pass_reset.zip>
(186kb).
Note that you still need physical access to the DC and the ability to log
on
locally as the local administrator. If you do not have the local
administrator's password use the following tip: Forgot
<http://www.petri.co.il/forgot_administrator_password.htm> the
Administrator's Password?.
Thanks Robert!
Acknowledgments
This tip was compiled and written with the help of Antid0t, Robert Strom
and
Sebastien Francois. Thank you all!
Links
How to reset the Domain Admin Password under Windows 2003
<http://www.nobodix.org/seb/win2003_adminpass.html> Server
Original post by Antid0t and Robert Strom on the MCSEworld
<http://www.petri.co.il/forums/viewtopic.php?t=504> forums
Related articles
You may find these related articles of interest to you:
* <http://www.petri.co.il/change_recovery_console_password.htm>
Change Recovery Console Password
*
<http://www.petri.co.il/change_user_password_from_a_remote_computer.htm>
Change User Password from a Remote Computer
*
<http://www.petri.co.il/change_user_password_from_the_command_prompt.htm>
Change User Password from the Command Prompt
* <http://www.petri.co.il/forgot_administrator_password.htm>
Forgot
the Administrator's Password?
*
<http://www.petri.co.il/forgot_administrator_password_alternate_logon_trick.
htm> Forgot the Administrator's Password? - Alternate Logon Trick
*
<http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm>
Forgot the Administrator's Password? - Reset Domain Admin Password in
Windows 2000 AD
* <http://www.petri.co.il/recover_protected_office_documents.htm>
Recover Protected Office Documents
*
<http://www.petri.co.il/what's_the_password_reset_disk_in_windows_xp.htm>
What's the Password Reset Disk in Windows XP?
New:
* You can also discuss these topics on the dedicated Forgot Admin
Password - Related Discussions
<http://www.petri.co.il/forums/viewforum.php?f=25> forum.
<http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_a
d.htm#top> up
<http://www.petri.co.il/images/back.gif> back
<< image001.gif >>
<< image002.jpg >>
<< image003.jpg >>
<< image004.gif >>
