Unlocking Windows NT/2000/2003 Domain Controllers

Note: If you are trying to fix a server, please READ THIS ENTIRE PAGE and MAKE SURE YOU UNDERSTAND IT before touching the server.

I was recently tasked with "unlocking" a Windows 2000 server, where all of the following had happened:

• The Administrator password had been changed.
• The owners didn't think that writing the Administrator password on a sticky-note on the wall next to the machine was a problem, even when the machine and the sticky-note were in a recess in a hallway, next to the door into the visitors' restrooms, where everybody who walked by could see them.
• The owners didn't think that using that same password for PC-Anywhere on every machine in the office was a problem.
• The owners didn't think that leaving the office manager's PC turned on, connected to a modem, with PC-Anywhere set to auto-answer, 24 hours a day, was a problem.
• The owners didn't think that using their telephone number as that password was a problem.
• The owners didn't think ...
• The owners didn't think ...
• The owners didn't think ...

Grrrr... do I sound just a little bit repetitive here?

It's not that people never learn, but they never even try.

I'll skip most of the war story and just give the basics.

2009-05-24 I've just received a flood of questions (three in one day, plus another one about a week ago) from home users. I guess I didn't make this obvious enough before, maybe putting it in a big ugly red box will help people understand it.

Hopefully that will be clear enough to stop the flood of email from:

• People who can't call AOL support at the same time their computer is dialed into "the AOL web". (Seriously, their message said "the AOL web".) Hint: Call AOL's support line. Once they've verified that you're the account owner, they can easily reset your AOL password. Because it sounds like THAT'S the password you seem to have forgotten, and your computer itself doesn't have one.

• Mothers whose children have changed and then forgotten the password for the ONE account on the machine. This is why computers should have multiple accounts, and children should never have the password for an account with Administrator rights (unless the machine is dedicated for their own use.)

  Now if only people with shared-use machines would take the time to SET UP individual accounts for their kids- accounts without Administrator rights- and then set passwords for each account, including the default "Owner" account (which has Administrator rights, and therefore should NOT be available to the kids.) Yes, this means the kids won't be able to install some kinds of software- but (1) those are usually the kinds of software you don't WANT them to install in the first place, and (2) if you have to install something for them, at least you'll be more aware of what the kids are doing to your machine.

• People who want to read their husband's email because they think he's cheating on them. Hint 1: If you're willing to break into his computer rather than talking to him about your concerns, then even if he's not cheating, the trust is gone and your relationship needs work anyway. Hint 2: If you don't trust your spouse, why are you married to them in the first place? Sounds like it might be time for some soul-searching, followed by a nice long talk with the person who SHOULD be your best friend in the world.

  I never thought I'd be giving relationship advice on a web page...

Petter Nordahl-Hagen has written a Windows NT/2000 offline password editor. I have been using various versions of this disk for several years and have had very good results with it. Thank you, Petter!

However, the program only resets the password for the MACHINE Administrator account, not the DOMAIN Administrator account. And wouldn't you know it, on a Windows 2000 server which is an Active Directory controller, you CANNOT log into any machine-level account. Which means that resetting the MACHINE Administrator password is pretty much useless.

Or so it would seem. It turns out that "Directory Service Recovery Mode" uses the MACHINE-level accounts, since the whole point of this mode is that the AD control databases may be corrupted and you need a way to manually edit them (presumably using some high-priced third-party software package...)

I was able to reset the password on the DOMAIN Administrator account using the following procedure:

Again: If you are trying to fix a server, please READ THIS ENTIRE PAGE and MAKE SURE YOU UNDERSTAND IT before touching the server.

NOTE: If you are following these directions to try and "break into" a corporate domain which has one or more working Active Directory controllers, but YOU don't have Administrator access to the domain, you're wasting your time. The procedure detailed below will only work if you have physical access to a domain controller. It will also forcibly reset the AD Administrator password, which means that if you are somehow able to do this to a domain controller, the existing Administrator password will no longer work and the rightful administrators will know something is going on... and if they trace it back to you and fire you, or even better put you in jail, then you have gotten what you deserve.

• Use Petter's disk to reset the MACHINE Administrator password to "no password".

NOTE: If you are following these directions to work on a machine which is not a domain controller, STOP RIGHT HERE. You now have access to the machine by rebooting and logging in as the machine's Administrator account (with no password.) Everything below this message is specific to domain controllers.

NOTE: If you are following these directions to work on a machine which is running Windows XP, STOP RIGHT HERE. The machine IS NOT A DOMAIN CONTROLLER. Go back and re-read the note right above this one.

NOTE: If you are following these directions to work on a machine which is running Windows 2003, STOP RIGHT HERE and follow these directions instead.

• Reboot, hit F8, and enter "Directory Service Recovery Mode". The machine will boot up as a standalone server without any Active Directory support.

• When the login screen appears, hit CTRL-ALT-DEL and log in as "Administrator" with no password. This is the MACHINE Administrator account, and does not have the ability to modify anything specific involving the Active Directory information, although it can backup and restore the physical files which contain the AD databases.

• Run "regedit". Navigate to HKEY_USERS\.Default\Control Panel\Desktop and change the following values:

  Value	Original	Change to
  SCRNSAVE.EXE	logon.scr	cmd.exe
  ScreenSaveTimeout	900	15
  ScreenSaveActive	May be 0 or 1	1

• Reboot normally. When the box appears asking you to hit CTRL-ALT-DEL to log in, just wait. After 15-30 seconds you will see a command prompt appear (since that is the screensaver.)

• I have received an email from somebody which simplifies the process... I can't verify this myself (because I don't use Windows) but the method makes sense. Apparently, once you get the command prompt you can type this one command to reset the password:

  C:\WINNT\system32> NET USER ADMINISTRATOR newpassword

  Once you enter this command, you should be able to exit from the command prompt, hit CTRL-ALT-DELETE, and log into the domain Administrator account using the new password. Again, without a Windows server I have no way to verify that this does or does not work, so I would appreciate any feedback from people who have tried this and can tell me that it does or does not work with their particular version of Windows.

• In the command prompt, type the following command:

  C:\WINNT\system32> MMC DSA.MSC

  This should bring up the management console where you can edit users' passwords, including the password for the Administrator account. If you type this command and it doesn't work, wait 30 seconds and try it again. This happened to me, it sounded like it was still in the process of loading drivers into memory in the background...

  If this doesn't work after waiting the 30 seconds... realize that THIS IS A COMMAND PROMPT WITH FULL DOMAIN ADMINISTRATOR RIGHTS, and you're running a command ("MMC.EXE") with another filename ("DSA.MSC") as an argument. If it "just plain doesn't work", maybe you need to locate these two files and type them in as full path names. Maybe something like "C:\WINNT\SYSTEM32\MMC.EXE C:\WINNT\SYSTEM32\DSA.MSC".

  If you know absolutely nothing about how to use a command line, then reboot into DSR Mode, log in as Administrator, and use the graphical "Find Files" thingy to find the files, and write down their locations. Then try it again (reboot and wait for the command line, etc.)

  A website visitor named "Joe Schmoe" emailed me to let me know that if somebody is absolutely, totally lost at this point, they should be able to type the word EXPLORER and hit ENTER, to get a full deskop with Administrator rights. From there, they should be able to find the right program on the start menu- usually Start, Programs, Administrative Tools, Active Directory Users and Computers. Thanks, Joe!

• After resetting the Administrator password, exit the management console and type the command EXIT in the command prompt window.

• Hit CTRL-ALT-DEL and log into the DOMAIN Administrator account using the new password.

• Don't forget to undo the changes you made to the registry, or you will always have a command prompt with Domain Administrator rights appear whenever somebody logs out.

I received seven emails about this page during the first week it was up. One was from Petter Nordahl-Hagen (who wrote the recovery disc) and one was from Daniel Petri, who runs his own knowledgebase of NT/2000-related information (Daniel- nice layout, I will definitely be using your site the next time I have an NT-related client issue.) Both had nice things to say about this page, and wanted permission to link to it. Of course I said "thank you and yes" to both of them.

The other five emails were all from AOL or Juno accounts. Three were because the "MMC DSA.MSC" command didn't work for them and they were totally lost, one couldn't figure out how to work the registry editor, and one wanted me to write a program for him (for free) to automate the whole process, because these directions are "too damn confusing".

None of these messages were answered. The extra paragraph above, and this entire section at the end of the page, are my answer to all of these people (and to anybody else with similar questions.) If you send a question and it falls into the "brain-dead" category, you will not be answered either.

Please understand that I AM NOT A WINDOWS NT/2000 EXPERT. My environment of choice for servers is Linux, and for the desktop is Mac OS X. This was an isolated incident for me, I don't fix NT/2000 issues every day (although I could if I had to, I have found that in many cases I know more about NT/2000 than many people with the magic "MCSE" certificate.)

I cannot and will not answer people's emails about this page if the question shows that you're lost without a mouse, ESPECIALLY if your email address ends with "@aol.com", "@juno.com", "@hotmail.com", "@msn.com", "@yahoo.com", or any of the other free lamer email account providers out there.

If you use a PC and you don't even know how to work a command prompt, find somebody who does, and have them follow the directions on this page. If that's not an option because a client is watching, then let's be honest: You are over your head, and your client would be better served by hiring a real computer professional (or maybe your client would be able to understand and follow these directions, and they don't need you.)

My feeling about this subject is the same as my feeling about all of the little high school kids and trailer-park moms out there who get a copy of FrontPage and call themselves a "web design company"- you're taking business away from the real web designers and the real system and network administrators out there. Real computer professionals have enough brains not to marry themselves to Microsoft (or ANY one platform.)

Or to make it simpler...

If you don't understand the directions on this page, you have no business working on the machine.

If this sounds a little crass... it's meant to. I have spent the last ten years doing tech support, system administration, and network administration, dealing with computer users who had no business owning a computer, and I'm burned out on it. I've dealt with everything from people who literally thought their CD-ROM drive was a holder for a coffee cup (yes, they really exist, if you're curious you can find them in Lake County, Florida, USA) to one guy who runs a gift shop in a tourist resort, who knows nothing about how to configure his own e-mail program, but had the nerve to try and lecture me on "internet standards" and how the software on my mail servers was wrong.

If you don't like my comments, write your own web page without them and YOU answer brain-dead questions from AOL users all day long. I have better things to do with my life.

The standard exception applies- if you are willing to pay my hourly rate, I will be more than happy to fix your server, or hold your hand and teach you how to work your computer, or whatever else (computer-related) you may need or want done. If so, I am located in Orlando, Florida, USA, and can be reached at the email address below.

Another point... DON'T TRUST THESE DIRECTIONS. You don't know me, and for all you know these directions may break your system. Read them, and make sure you understand them before you ever touch the "broken" machine. If you break your machine (or a client's machine), that's YOUR problem- NOT MINE. If you don't agree with this policy, then don't use these directions.

Other Notes

The previous version of this page had a collection of random ranting and raving about the level of stupidity which seems to manifest itself in the world, especially amongst AOL and hotmail users who read this page. I've removed most of it (it sounded really repetitive anyway) but have left the following information.

• My name is JOHN, not JIM. If you're going to email me, at least get my name right.

• 2003-04-13: Today I received an email from a HOTMAIL address which had NOTHING to do with the information on this page (which normally means they get ignored) but offered to pay me "if they could afford it" (which earns them an honorable mention here.)

  From this person's email it sounds like they're trying to break into somebody else's machine (a spouse, child, co-worker, whatever), look through the files, and get out... without the machine's owner knowing.

  The whole purpose of Petter's disk is to RESET PASSWORDS. If this person were to use Petter's disk on this machine, the owner would know that something was going on when all of the sudden their password didn't work any more...

  Petter's disk is not a "spy tool", and a "non-techie like [your]self" is probably not going to be able to do this on your own. You should find a real computer professional, and THEY will have several options:

  • Knoppix is a version of Linux which boots from the CD-ROM drive and runs from a RAM disk, without being "installed" on the machine at all. It includes almost 2GB of software on the CD, and gives you the ability to look at existing partitions in READ-ONLY mode (i.e. you won't accidentally destroy something unless you manually mount something READ-WRITE, and you have to know ahead of time how to do that.)

  • Other similar tools exist- the only other one that comes immediately to mind is Forensic and Incident Recovery Enivronment (FIRE), which is geared more for security investigators and "hardcore geeks".

  • Remove the machine's hard drive, mount it as a secondary drive in another machine with the same operating system, and read what you want that way. Note that if that operating system is made by Microsoft, it will leave markers that the drive was mounted elsewhere, and it may even make the drive un-bootable.

• The infamous "letter to Microsoft".

  Dear Microsoft,

  I know you mean well with your ideas about the "system recovery disk", and while it's not a BAD idea, it's not implemented correctly.

  Please remember that many of your users have almost no computer knowledge, and don't know the first thing about security. Most users don't even THINK about a "system recovery disk" until AFTER they need it.

  For example, they come into the office one Monday morning and find that somebody has hacked into their server through an open PCAnywhere connection on the boss's secretary's PC, which has domain admin rights because that's easier than the boss having to call the IT people when he forgets his password three times a week. Not only did they change the domain administrator password, but they disabled a bunch of services, modified the web site to say "J3R 53CUR1TY 5UX, 700-L337 H4X0RZ 0WNZ J00", and deleted a bunch of files at random.

  So my suggestion is that you implement one, or both, of the following two options:

  1. Make the Windows SETUP procedure FORCE the user to create the "system recovery disk". Showing one reminder window in the face of a stream of a hundred details just doesn't cut it.

  2. Make it possible for somebody who has physical access to the server to manually reset the domain administrator password, without having to resort to hacking the keys on the AD security repository and brute-force the administrator password (which seems to be the only option left, and while I don't know enough about encryption to write such a program, I'm sure somebody out there does.)

     And then EDUCATE people about the fact that a server shouldn't be physically placed where the wrong people can get to it, and that in this case "the wrong people" doesn't mean just hackers- it means ANYBODY who's not on the IT staff, or who isn't the owner of the company. I'm sure you don't trust your own servers well enough to leave them outside of a physically secured area, why not encourage your users to do the same thing?

  Otherwise you are making it not only possible, but highly probable, that most machine owners are going to be totally LOST when something like this happens to them- and what kind of service is that to your customers?

  Oh, yeah- it's not a service that you can make money off of. Never mind, I forgot who I was dealing with for a minute there...

  Apparently somebody at Microsoft has read this letter, because Windows 2003 was changed to prevent the procedure detailed above from working. Way to be helpful, Microsoft. Here's a clue: decisions like this are why people hate you.

• If you're working on a Windows XP machine, the instructions on this web page will not help you. Don't ask, you WILL be ignored. (Yes, I know the page already says this twice... but some people just don't seem to "get it".

• If you're having a problem with Petter's disk, email Petter. Not me. I didn't write it, and unless you're willing to pay for my time to find and fix whatever problem you may be having, I can't help you with it. You will find his email address on his web site (and while you're there, I suggest reading the directions again and following them, step by step, instead of assuming that you already know how his disc works.)

• Most people who have trouble with these instructions, or with Petter's disk, have trouble because they don't know what they're doing in the first place. The point of this web page is not to make people email me asking for free help with every single problem that Windows throws at them, the point is to tell people who understand how to work a computer about ONE SPECIFIC PROCEDURE which happened to work for me.

• My experience with Microsoft Windows has led me to believe that Microsoft Windows is built on a fundamentally bad design. The Windows NT product was originally designed to act as a file/print server for a small office, NOT to be a web server, an email server, a firewall, or any of the other things people seem to have added into it. Microsoft was NOT thinking of real security when they designed it, and they designed it in such a way that it cannot easily be updated without breaking other things (how many patches have they released which broke other things?)

  Again, this is MY OPINION, based on my own experience over the past ten years. If you don't agree with it, that's fine... you are entitled to your own opinion. I'm not trying to force my views on anybody- if you don't like my "pro-Linux slant", don't ask me to help you for free.

• 2004-02-29 I received an email today from somebody who gave me a link to the page http://www.nobodix.org/seb/win2003_adminpass.html, which contains a walk-through of how to reset the domain administrator password for a Windows 2003 domain controller. I don't have a machine to test it on, but the method seems to make sense and may even work on a Windows 2000 machine, but it requires two extra programs that don't normally come with Windows NT/2000/2003. Congratulations are in order for Sebastien Francois, who figured out the method and wrote the web page.

• 2008-12-18 The server hosting Petter's web site seems to not be working, which obviously makes it a bit difficult to find his CD image.

  I do have a copy of the ISO file, however I'm not really comfortable with distributing somebody else's software, because it gives people the idea that I am somehow connected with it, and even worse (in my eyes) it makes people expect that I'm going to support it. I also don't want to have to deal with the extra bandwidth involved in suddenly providing the file for the world's downloading pleasure.

  What I AM willing to do, is give the details about the file I have, and tell you that I was able to find at least two other servers which appear to have copies of the file, by doing a quick Google search. I'm not saying that this is the most recent version (I haven't looked at Petter's site since September), and you have only my word that these checksums match the file I downloaded from Petter's site several months ago.

  Filename:	cd080802.iso
  Date:	2008-08-02
  Size:	3702784 bytes
  MD5:	91e0c07c1ccc429be3521024a97aab12
  SHA-1:	a1319943b7f770c90f5bdaddf7157fbf79060637
  RIPEMD-160:	fb9e0838794fbc907b5dfd6dd653e1a3604c77cd

  Let me make this very clear- I didn't write it. I don't know Petter personally, and other than the email address he's been using for years (my last email to/from him was in 2003) I have no way to reach him and ask why the server is not working. My only connection with the CD is that I have used it in the past, without any problems, and I've checked his web site every few months to make sure I have an up-to-date copy in my "toolbox" of CDs, in case I needed it for a client.

  If you can't figure out how to use the file on your own, I'm willing to help you for a fee- but first I recommend you find a web page which explains how to use it. Not only will this be less expensive for you, but it will give you some experience which is likely to be helpful in the future.

• 2009-03-11 Just when I thought I had seen it all, I am reminded again that stupid knows no bounds. I kid you not, this is an actual email I received from somebody:

  From: "R** A******" <r**a@**********.***> To: <jms1@spamcop.net> Subject: Well "no password" didn't seem to work Date: Mon, 9 Mar 2009 19:48:22 -0700 I don't want to waste any of your time, but I tried the "no password" and then tried blanking the admin password with Petters software and now it seems to be blank since it won't let me put a different one there. I am wondering if you know of software to insert a new password once it has been blanked?

  Do I know of a piece of software which will insert a new password once it's been blanked? Let me think about that for a few nanoseconds... oh, yeah.

  It's called MICROSOFT WINDOWS.

  Just in case somebody else might eventually ask the same question, here's how it's done:

  • Unlock the password, using Petter's software and/or the screen saver trick detailed above.
  • If you used Petter's software, reboot into Windows.
  • Log into the account whose password you just blanked.
  • Press CTRL- ALT-DEL
  • Click the Change Password button.
  • Leave the "Old password" field blank, and enter the new password in both of the "New password" fields.
  • Click OK.

  I don't know if I was being "punked", or if the guy was really that stupid...

• 2011-06-11 I received an email from Jim Luschen, telling me about a typo (two words repeated) on this page. Thanks for letting me know about it.

Copyright 1995-2024 John M. Simpson KG4ZOW <jms1@jms1.net> (PGP keys)
Last updated 2011-06-11 10:09:23 +0000