This Blog is a supplement to my website. Please also visit: www.DavidCocke.com

Saturday, December 3, 2011

Lock Out

I want to tell a story of a customer that called me yesterday.  I'm sharing this story in hopes that these steps can be of help to someone else in the future.  Their Active Directory domain administrator password was changed somehow and there was no way to login to the primary server (Domain Controller).  This customer is in another state, and I mention this only to point out that my only access to them was from remote across the Internet.

Since I had previously done work for them on their Web Server, I at least had a way to remote in to that server, but since the domain admin credentials were not working I had to authenticate using the Web Server's local admin credentials.  Once connected I used VNC to get to the primary server's console, and we tried various password combinations but could not login as Administrator.

I found a free tool called ADManager Plus, and once installed on their Web Server I was able to query Active Directory and get a list of User Names and could at least see the last time those Users had authenticated.  I knew from my previous work that some of the accounts that existed were disabled, but this tool did not show which ones were active versus disabled. 

ADManager Plus can be found here:
http://www.manageengine.com/products/free-windows-active-directory-tools/download.html

Since we could see at least one account in the list that I recognized as being used by their primary application vendor and knowing that account likely already had Admin privileges, my hope was to login with that account and then reset the Administrator password.  The application vendor was very helpful and gave me several password combinations to try, but unfortunately none of them worked.

The customer also contacted a local IT Vendor and once on site, they tried a procedure similar to the one found here:

HOW TO: Reset your Lost 2003 Active Directory Admin Password
http://www.geeksaresexy.net/2009/03/12/how-to-reset-your-lost-2003-active-directory-admin-password/

The above steps basically have you wrap a password reset tool into a service and it attempts to change the password as the server is booting up.  Unfortunately this didn't work either.  It has worked for many others, which is why I wanted to still reference it as an option.

After some research, I thought perhaps I could use the Net.exe commands in Windows to reset the password, but in order to try I would need some way to get to the primary server's command prompt.

So I downloaded PSEXEC to their Web Server.  PSEXEC is a utility now owned and maintained by Microsoft that allows you to execute remote commands to another machine on the network.


Download PSEXEC here:

So let's say the Primary Server's name in this example is ALPHA.  I issued the following command from the Web Server's command prompt:

psexec \\ALPHA cmd

This allowed me to run cmd.exe (the command console) on the ALPHA server.  And now I could issue commands on the Primary Server.  This is also the step in which we were very lucky (or Blessed).  Typically in order for PSEXEC to do its magic it has to authenticate to the remote machine.  How is it I was able to issue this command when the Administrator account was inaccessible?  I can only assume that this server had previously authenticated before the Administrator password was changed and thus still had a valid security token.  I can't help but wonder that if we had rebooted this Web Server before now, if this step would have been impossible.

I tried using the Net.exe commands on the Primary Server but then realized that for some reason, Net.exe didn't exist on this server.  I'm not sure why since this is Server 2003 it should have been there.  After further reading, using the Net.exe commands might not have worked anyway since this is a Domain Controller.  I still wanted to mention this, as it could prove useful to someone in another scenario.

In the example below, the username whose password we are trying to reset is sunrise and the new password we want is Password2, and the /domain switch is supposed to indicate that we want to change it for the domain user called sunrise as opposed to a local user called sunrise.

net user sunrise Password2 /domain

More information about How to Use the Net User Command can be found here:  http://support.microsoft.com/kb/251394

I then came across some Active Directory commands such as:

dsquery - Query Acive Directory
dsadd - Add Users
dsmod - Modify Users

Please see How To Use the Directory Service Command-Line Tools to Manage Active Directory Objects in Windows Server 2003 here:
http://support.microsoft.com/kb/322684

I also found this site which gives some great examples on using these commands:
http://www.sadikhov.com/forum/index.php?/topic/84286-examples-for-dsadd-dsquery-dsget-dsmove-dsmod-dsrm/

In the end, we had success when I issued the following command:

dsmod user "CN=sunrise,CN=Users,DC=acme,DC=local" -pwd Password2

In the above example:
The username we wanted to change the password for is: sunrise
The Domain Name is: acme.local
The container that holds the username sunrise is: Users
The new password we want is: Password2

Once the sunrise password was changed, I logged into the Primary Server and then was able to change the Administrator password.

So to recap the successful steps:

Open a Remote Console on the Domain Controller
psexec \\ALPHA cmd 

Change the password of an account that already has Administrator Priviledges
dsmod user "CN=sunrise,CN=Users,DC=acme,DC=local" -pwd Password2

No comments:

Post a Comment