«

»

Sep 07 2016

How to reset forgotten Active Directory Domain Administrator password

It happens. Not so often, but it happens when you just can’t remember your domain/enterprise administrator password anymore. This is a big deal since you are the Active Directory God. Just imagine not being able to log in to your domain controllers for a day and you get my point. And since everything nowadays is tight to Active Directory, if something fails, everything fails, so you need to reset your password ASAP. There are a lot of tools out on the internet where you just pop-in a live CD on the domain controller and does the job, more or less, but they cost money, when all you need is just your Windows server media/ISO.

For this to work you will need to have access to the domain controller’s console, virtual (ILO, iDRAC, VM) or physical. Once you have that, mount the Windows server 2012 R2 ISO (if the domain controller is a VM or you are using ILO/iDRAC) on one of your domain controllers and boot from the media. I’m doing this on a 2012 R2 domain controller, but if you are still running 2008 R2 just mount the 2008 R2 ISO and continue along, because it works the same.

Reseting the Domain Admin Password

Once the ISO is loaded, click Next in the first screen of the wizard.

Reseting the Domain Admin Password

In the second screen click the Repair your computer option located in the lower left-hand corner.

Reseting the Domain Admin Password

Click Troubleshoot then Command Prompt.

                Reseting the Domain Admin Password    Reseting the Domain Admin Password

Go to <drive root>:\Windows\System32 then type the bellow command lines. These will backup the utilman.exe file which launches the virtual keyboard and other accessibility tools in the logon screen, then copy the cmd.exe file and renames it to utilman.exe. This way when we click the virtual keyboard from the logon screen it will launch the command prompt.

Reseting the Domain Admin Password

Reboot the domain controller and once it is up click on the Ease of access button.

Reseting the Domain Admin Password

Now all we need to do to reset the domain admin password is type:

net user <domain account> <new password>

Reseting the Domain Admin Password

Close the command prompt window and log in using the new password. It should work with no problems.

                Reseting the Domain Admin Password     Reseting the Domain Admin Password



Now that we can login in, we need to revert the changes we’ve made to the system, and that’s putting the utilman.exe back to its place. Open a command prompt (as Administrator), go to C:\Windows\System32 and type:

Reseting the Domain Admin Password

If you get an Access denied message while running the last line of command, you need to change the ownership of the file. Just right click it, go to the Security tab then click Advanced. In the Advanced Security Settings window click the Change link then type the new owner (you can also put a security group in here). Once you’re done with this don’t forget to give the new owner permissions to the file.

                         Reseting the Domain Admin Password     Reseting the Domain Admin Password

The method works great, but remember, these are domain controllers, and domain controllers need a higher security then the rest of the systems, or the all network can be compromised. To go beyond physical security, we can create a GPO and add a registry value to our domain controllers to disable the Ease of access button. This way the utilman.exe file can’t be launched anymore, even when it’s replaced or its signature changes. Now there are many options to disable the button, but I found the bellow one more easy and more compatible with Group Policy.

Go ahead and create a GPO, name it, link it to the Domain Controllers container then right-click it and choose Edit.

Reseting the Domain Admin Password

Go to Computer Configuration > Preferences > Windows Settings > Registry and create a new Registry Item.

Reseting the Domain Admin Password

From the Hive drop-down-box choose HKEY_LOCAL_MACHINE and in the Key Path box type SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe. Now we need to provide the values for the registry key. In the Value name box type Debugger and in the Value data box type systray.exe then choose REG_SZ from the Value type drop-down-box. Click OK when done.

Reseting the Domain Admin Password

All we need to do now is wait for the policy to take effect, or if you are an impatient person you can force this using the gpupdate /force command. Now if we go and click the Ease of access button from the log on screen nothing should happen, no keyboard or color options should be displayed.

This is a great method to reset you domain admin password, but it can also be a security breach. I recommend you do implement the policy in production to block the Ease of access button to further increase the protection on your domain controllers, but never forget the physical security also.

Want content like this delivered right to your

email inbox?


2 comments

  1. cristian

    Great article, thanks for the trick.

    1. Adrian Costea

      Thanks for passing by…

Leave a Reply

Your email address will not be published. Required fields are marked *


*

css.php