Close

Tech Line

Lost Domain Admin Password Panic

Here's what to do when your Windows 2003 domain password has been lost.

Chris: I'm in a jam. I took over a contract with a new office and cannot log in to their domain controller. I contacted the previous contractor and the password he gave me doesn't work. I can boot into Directory Services Restore Mode, but cannot login to the domain. Is there anything that I can do to reset the domain administrator password?
--Kyle

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:editor@mcpmag.com; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Good question, Kyle. You do have a few choices here. Since you can get to Directory Services Restore Mode, resetting the domain administrator password can be accomplished in a few minutes. If you need to reset the Directory Services Restore Mode Password, you can do this using the Offline NT Password & Registry Editor Bootdisk/CD. The Offline NT Password & Registry Editor is a nice tool for resetting local account passwords, and since it's free, it works for my budget.

On a domain controller, you can access Directory Services Restore Mode by pressing F5 when the system starts to boot and then selecting Directory Services Restore Mode from the Windows Advanced Options Menu.

Once you're logged in to Directory Services Restore Mode, you're ready to setup the password reset. My preferred method is to use the Windows Resource Kit tool AutoExNT. AutoExNT allows you to configure a batch script to run when the system starts, so it's an easy way to use a script to change the domain administrator password. To use this method to reset the domain administrator password, you'll first need to download the Windows Server 2003 Resource Kit Tools. You can install the tools on any Windows XP or Windows 2003 system. Once the tools are installed, navigate to the Resource Kit Tools installation folder (default location = C:\Program Files\Windows Resource Kits\Tools). From the Tools folder, you'll need these three files: Autoexnt.exe, Servmess.dll, and Instexnt.exe. All three files should be copied to the %systemroot%\system32 folder (default = C:\Windows\system32) on the domain controller.

With these files in place you now need to create a batch file to be used by the service. To do this, run the command:

notepad %systemroot%\system32\Autoexnt.bat

When prompted to create the file, click Yes. Now in Notepad, enter:

net user administrator P@ssw0rd /domain

In my example, I set the password to P@ssw0rd. Of course, you can set this to whatever you like. Once you have this line in the batch file, save the file and close Notepad.

You're now ready to install the AutoExNT service. To do this, go to the command prompt and run the command instexnt install. When the command completes, you should see the message "CreateService AutoExNT SUCCESS with InterActive Flag turned OFF." By default, the service will be set to Automatic, so you're ready to go.

Now you can just reboot the domain controller. When it reboots, the password will be set to the password that you specified in the batch file. Log in as administrator with the new password and you're all set. Of course, you're not going to want the AutoExNT service to run anymore at bootup, so you'll need to uninstall the service. To do this, go to the command prompt and run the command instexnt remove. You should now see the message "DeleteService SUCCESS" and you're all done.

With this tool in your bag of tricks, try not to give away how easy the password reset really is. I prefer to build the drama like any good episode of House . "I can't promise anything, but I'll do the best I can to save her. I need to be alone for this, so please wait outside." After resetting the password, you triumphantly leave the server room to the applause of your peers. Oh wait. I never actually did that. It was only one of my pathetic dreams. I know...pretty sad!

About the Author

Chris Wolf is a Microsoft MVP for Windows --Virtual Machine and is a MCSE, MCT, and CCNA. He's a Senior Analyst for Burton Group who specializes in the areas of virtualization solutions, high availability, storage and enterprise management. Chris is the author of Virtualization: From the Desktop to the Enterprise (Apress), Troubleshooting Microsoft Technologies (Addison Wesley), and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).learningstore-20/">Troubleshooting Microsoft Technologies (Addison Wesley) and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).

Reader Comments:

Mon, Jan 11, 2010 coco

http://www.recoverwindowspassword.com

Fri, Nov 20, 2009 kevin88

Last month , i lost my windows administrator password. Eventually , I solved my problem with the

help of windows password key. It works perfectly to reset any local user account to a blank

password. Just an easy to use bootable CD/DVD . It can also be used on a USB Flash Drive. You

can download it from: http://www.lostwindowspassword.com/.

Mon, Jul 28, 2008 Anonymous Anonymous

Good

Mon, Dec 24, 2007 Ted PA

This is a good tip I have a customer who had a disgruntled it guy (you mean there are those lol) and he changed the domain admin password and directory restore pwd. I will give it a whirl and let you know how it works. Thanks for the tip.

Thu, Mar 29, 2007 Ghazala Anonymous

instexnt install camman cant not be run

Fri, Jun 23, 2006 vied alsaka

can i use this procedure to recover win 2003 member servers using recovery console, as there will be no directory service restore mode on member servers.
thanks.

Wed, Jun 21, 2006 Anonymous Anonymous

Great tip...just goes to show that physical security is where it all starts!!!

Some high flying consultants should remember that!!!

Wed, Jun 21, 2006 AndreK South Africa

True, this could save your bacon someday. It is even more significant as a warning on the importance of maintaining physical domain controller security.

Essentially, if someone can get to a DC and boot it up from a floppy/CD/memory stick, you are toast – they could not only steal your entire domain database to hack into at their leisure, they could also change the password of any user they felt like, and you would never know who did it ... DCs need to be kept under lock and key, with boot from any device other than the HDD disabled in a PW-protected BIOS (PW known only to a trusted domain admin FWIW, same goes for the Directory Service Restore Mode pw). This also impacts your DC deployment plans – give serious consideration as to whether you should put lots of domain controllers into remote locations where you are not able to guarantee their physical integrity. Maybe rather consolidate your DCs to a few centralized locations where they can be adequately secured. If your users end up logging on across a WAN link, it seldom generates a significant amount of traffic. Even if the WAN goes down, you could always use cached mode to allow logon. Where you do deploy DCs, they should be kept in a locked cabinet that is not accessible to everyone who goes into your server room.

Tue, Jun 20, 2006 Anonymous Anonymous

"So much for Windows Security. In my opinion, as much of a lifesaver this may be, this workaround completely defeats the purpose of Windows Security. I think a company that is careless enough to lose the domain admin password deserves an AD reinstall."

Idiot - any system can be defeated with physical access. Glad you are perfect.

Tue, Jun 20, 2006 Anonymous Anonymous

Great Tip!

Could the same utility be used to enable the admin account if its been disabled?

Tue, Jun 20, 2006 PdP Anonymous

This just points out in graphic detail that physical security trumps all other forms of security regardless of the OS - Windows, Linux, Novell etc.

Tue, Jun 20, 2006 Anonymous Anonymous

who in their right mind would leave their servers unlocked, out in the open, and accessible to anyone that walked by? this isn't a bypass of windows security ... and just so you realize how dumb of a statement that is, you can do the exact same thing with any distro of linux and probably even unix too. also, you'll note that in this scenario he never had the password..

Tue, Jun 20, 2006 Anonymous Anonymous

So much for Windows Security. In my opinion, as much of a lifesaver this may be, this workaround completely defeats the purpose of Windows Security. I think a company that is careless enough to lose the domain admin password deserves an AD reinstall.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above