|
Question : Lost admin password
|
|
The title says it all. I need to get this password back soon! All of my remaining points. please help!
|
Answer : Lost admin password
|
|
Heres my standard way of answering these ?'s. It's faster than l0phtcrack, it doesn't rely of "seeing" the system partition, so it won't care if you use fat. The only problems are, it takes 30-45 minutes and you need physical access to the server. (still faster than l0phtcrack):
**********************************************************
One of the NT administrator's worst nightmares is a lost domain
administrator password. There is a widespread myth that it is
impossible to recover from this situation. Actually, it is not that
hard to recover from. You just have to install NT in a different
directory to gain access to the system. You can remove it later and
delete it from the boot.ini, but an emergency boot directory comes in
handy and I usually leave it there.
This process was tested on an NT 4.0 primary domain controller.
Shut the primary domain controller down and load the NT install disks.
If you cannot shut it down gracefully, unplug the network cable and
wait a few minutes before hitting the reset button, and make sure to
chkdsk /f the disks when you are done.
Boot from the NT installation disks. Perform a new install in a
different directory on the system drive. For example, if the existing
system is called C:\WINNT, install in C:\WINEMRG. Boot the system from
C:\WINEMRG. You now have access to your system disk. If necessary, use
an NT boot floppy to start up from C:\WINEMRG.
Copy SRVANY.EXE from the resource kit to C:\TEMP.
Run REGEDT32.EXE. Bring up the HKEY_LOCAL_MACHINE on Local Machine
window and highlight the root (HKEY_LOCAL_MACHINE.) Choose Registry/
Load Hive. In the File Name box, enter: (the ending period is required)
C:\WINNT\SYSTEM32\CONFIG\SYSTEM.
and click Open. At the Key Name prompt enter DomainSystem and click Ok.
Now write down the value of the key:
HKEY_LOCAL_MACHINE\DomainSystem\ControlSet001\Services\Spooler\ImagePath
On my machine it was:
%SystemRoot%\system32\spoolss.exe
Change this key to C:\TEMP\SRVANY.EXE
Go to the key:
HKEY_LOCAL_MACHINE\DomainSystem\ControlSet001\Services\Spooler\Parameters
Create two values in the Parameters folder.
Name: Application
Type: REG_SZ
Value: C:\WINNT\SYSTEM32\NET.EXE
Name: AppParameters
Type: REG_SZ
Value: user Administrator newsecret
where "newsecret" is the domain administrator password you want to set.
You can choose any password.
Now shut the system down and reboot the domain controller. Wait a
minute after the CTRL-ALT-DEL prompt comes up, then logon as domain
administrator with the new password you set above.
Go into REGEDT32.EXE to undo your changes. Remove the values:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\
Parameters\Application
and
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\
Parameters\AppParameters
Change the value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\ImagePath
back to the original you wrote down above. Stop and start the spooler
service to re-enable your printers.
How this process works
======================
By reinstalling in a different directory, you gain access to your files
without destroying your domain controller. The Load Hive command allows you
to load a file into the registry and edit it. We use SRVANY to execute a
"net user" command to change the password when the system starts up. The
LocalSystem account, under which the spooler and most other services runs,
has the power to change a password on the local machine. As far as a domain
controller is concerned, domain accounts are local.
********************************************************
Good Luck
|
|
|
|
|
