Have you ever lost access to all the domain admin accounts for a domain?

We did last week. The documented password for the Administrator user got changed - no-one knew the new password, and we hadn't gotten around to creating extra accounts yet. Ugh. 2 days work down the drain ... but no!

Turns out you can break into the Active Directory domain administrator account if:

• You know any domain administrator username;
• You know the DS Restore mode password for a DC.

Here's the trick: local policy changes to the domain controller in DS Restore mode are still active in normal operations mode. So the procedure you need to follow is:

• Boot a domain controller to DS Restore Mode;
• Log on as Administrator with your DS Restore Mode password;
• Run GPEdit.MSC (the local Group Policy Editor);
• Create a computer startup script:
  • Command: %systemroot%\system32\net.exe
  • Parameters: user {Administrator-User} /Domain {NewPassword}
• Reboot the DC to normal mode;
• Log on as the domain administrator with your new password;
• Replicate to other DCs and check the new password has replicated;
• Boot the domain controller to DS Restore Mode;
• Log on as Administrator with your DS Restore Mode password;
• Run GPEdit.MSC;
• Remove the computer startup script you created earlier;
• Reboot the DC to normal mode.

Phew! All done.

And this is another great time to remind you that if you haven't got physical security, you don't have any security!

No Comments