Hi Joe, That's one way to look at it that other way to look at it is that this information is freely available on the internet. I am not posting anything new. This is just more reason for some one to lock up the Domain Controllers in a room rather then leave them out in the open. Many companies that have remote offices and have there DC's out in the open need to re-evaluate their security policies as well as make frequent audits of there Domain Admins, Enterprise Admin's and local admin groups. I am also not trying to say that Microsoft is any less secure then other products, one can get into Linux, Macintosh and Solaris Operating Systems just as easily if they have physical access to the system and can boot from a CD, USB device or Floppy. One should not have a false sense of security just because one lacks the knowledge of how to do such things. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org ------------------------------------------------------------------------------------------------- -----Original Message----- From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe Sent: Friday, November 04, 2005 10:26 AM To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: RE: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD It falls back to the idea of should people post information that can be used to compromise someone else's machine. These mechanisms are all fine an dandy if you are trying to break into your own system, but normally, it is to break into someone else's system. It is hopefully a rare case where an admin is so light between the ears that they forget their admin passwords. Hell I get touchy with admins who lock themselves out even. Admins are supposed to be accomplished and careful. Anyway, it is usually bad taste to post a mechanism to crack into a system that can't be countered. If everyone simply posted what they knew about cracking systems there would be a lot of people in a very bad ways as that info got around to folks who like to take advantage of stuff. Those people aren't usually the ones bright enough to find all of the exploits in the first place, they use what is published. Imagine viruses/worms that target domains and forests instead of workstations. How many people truly have their environment secured in such a way that they would be relatively safe. If not in that group how many people have their environment monitored in such a way that they would catch bad things very quickly (though quick is relative, I have written POC tools that can take out your forest in less than a couple of seconds barring too much network latency). If not in those groups, how many people have their environment so they could quickly put it back together. Say a massive forest attacking worm/virus breaks out, it takes down say a State of Michigan or Department of Homeland Security... How much impact does that have? What if it reaches Code Red proportions? joe From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Medeiros, Jose Sent: Friday, November 04, 2005 1:04 PM To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: RE: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD Why not? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -----Original Message----- From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Brian Desmond Sent: Friday, November 04, 2005 9:48 AM To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: RE: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD He shouldn't have posted that. Thanks, Brian Desmond brian@xxxxxxxxxxxxxxxx c - 312.731.3132 From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Medeiros, Jose Sent: Friday, November 04, 2005 12:28 PM To: ActiveDir@xxxxxxxxxxxxxxxxxx Cc: exchangelist@xxxxxxxxxxxxx Subject: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD Has any one ever tried this? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL Forgot the Administrator's Password? - Reset Domain Admin Password in Windows Server 2003 AD. Featured Product: Windows XP/2000/NT Key - Easy to use utility to reset Windows 2003/XP/2K/NT local and domain controller administrator passwords. Download FREE version now! Note: In order to successfully use this trick you must first use one of the password resetting tools available on the Forgot the Administrator's Password? page. The reason for that is that you need to have the local administrator's password in order to perform the following tip, and if you don't have it, then the only method of resetting it is by using the above tool. Read more about that on the Forgot the Administrator's Password? page. Update: You can also discuss these topics on the dedicated Forgot Admin Password - Related Discussions forum. Lamer note: This procedure is NOT designed for Windows XP since Windows XP is NOT a domain controller. Also, for a Windows 2000 version of this article you should read the Forgot the Administrator's Password? - Change Domain Admin Password in Windows 2000 AD page. Reader Sebastien Francois added his own personal note regarding the changing of Domain Admin passwords on Windows Server 2003 Active Directory domains (HERE). I will quote parts of it (thanks Seb!): Requirements 1. Local access to the Domain Controller (DC). 2. The Local Administrator password. 3. Two tools provided by Microsoft in their Resource Kit: SRVANY and INSTSRV. Download them from HERE (24kb). Step 1 Restart Windows 2003 in Directory Service Restore Mode. Note: At startup, press F8 and choose Directory Service Restore Mode. It disables Active Directory. When the login screen appears, log on as Local Administrator. You now have full access to the computer resources, but you cannot make any changes to Active Directory. Step 2 You are now going to install SRVANY. This utility can virtually run any programs as a service. The interesting point is that the program will have SYSTEM privileges (LSA) (as it inherits the SRVANY security descriptor), i.e. it will have full access on the system. That is more than enough to reset a Domain Admin password. You will configure SRVANY to start the command prompt (which will run the 'net user' command). Copy SRVANY and INSTSRV to a temporary folder, mine is called D:\temp. Copy cmd.exe to this folder too (cmd.exe is the command prompt, usually located at %WINDIR%\System32). Start a command prompt, point to d:\temp (or whatever you call it), and type: <span style='font-size:10.0pt;font-family:Verdana'>instsrv PassRecovery "d:\temp\srvany.exe"</span> (change the path to suit your own). It is now time to configure SRVANY. Start Regedit, and navigate to <span style='font-size:10.0pt;font-family: Verdana'>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PassRecovery</span> Create a new subkey called Parameters and add two new values: <span style='font-size:10.0pt;font-family: Verdana'>name: Application type: REG_SZ (string) value: d:\temp\cmd.exe name: AppParameters type: REG_SZ (string) value: /k net user administrator 123456 /domain<br> Replace 123456 with the password you want. Keep in my mind that the default domain policy require complex passwords (including digits, respecting a minimal length etc) so unless you've changed the default domain policy use a complex password such as P@ssw0rd Now open the Services applet (Control Panel\Administrative Tools\Services) and open the PassRecovery property tab. Check the starting mode is set to Automatic. Go to the Log On tab and enable the option Allow service to interact with the desktop. Restart Windows normally, SRVANY will run the NET USER command and reset the domain admin password. Step 3 Log on with the Administrator's account and the password you've set in step #2. Use this command prompt to uninstall SRVANY (do not forget to do it!) by typing: <span style='font-size:10.0pt;font-family: Verdana'>net stop PassRecovery sc delete PassRecovery</span> Now delete d:\temp and change the admin password if you fancy. Done! Supplement Robert Strom has written a cool script that will completely automate this process. He wrote: "My script is really just an automation of his process which performs all the post cleanup of itself. Launch one script and it's all done. No manual registry entries, the service is created, the service settings are all imported into the registry, etc." Download it from HERE (186kb). Note that you still need physical access to the DC and the ability to log on locally as the local administrator. If you do not have the local administrator's password use the following tip: Forgot the Administrator's Password?. Thanks Robert! Acknowledgments This tip was compiled and written with the help of Antid0t, Robert Strom and Sebastien Francois. Thank you all! Links How to reset the Domain Admin Password under Windows 2003 Server Original post by Antid0t and Robert Strom on the MCSEworld forums Related articles You may find these related articles of interest to you: · Change Recovery Console Password · Change User Password from a Remote Computer · Change User Password from the Command Prompt · Forgot the Administrator's Password? · Forgot the Administrator's Password? - Alternate Logon Trick · Forgot the Administrator's Password? - Reset Domain Admin Password in Windows 2000 AD · Recover Protected Office Documents · What's the Password Reset Disk in Windows XP? New: · You can also discuss these topics on the dedicated Forgot Admin Password - Related Discussions forum. up back