How to reset forgotten Active Directory Domain Administrator password
It happens. Not so often, but it happens when you just can’t remember your domain/enterprise administrator password anymore. This is a big deal since you are the Active Directory God. Just imagine not being able to log in to your domain controllers for a day and you get my point. And since everything nowadays is tight to Active Directory, if something fails, everything fails, so you need to reset your password ASAP. There are a lot of tools out on the internet where you just pop-in a live CD on the domain controller and does the job, more or less, but they cost money, when all you need is just your Windows server media/ISO.
For this to work you will need to have access to the domain controller’s console, virtual (ILO, iDRAC, VM) or physical. Once you have that, mount the Windows server 2012 R2 ISO (if the domain controller is a VM or you are using ILO/iDRAC) on one of your domain controllers and boot from the media. I’m doing this on a 2012 R2 domain controller, but if you are still running 2008 R2 just mount the 2008 R2 ISO and continue along, because it works the same.
Once the ISO is loaded, click Next in the first screen of the wizard.
In the second screen click the Repair your computer option located in the lower left-hand corner.
Click Troubleshoot then Command Prompt.
Go to <drive root>:\Windows\System32 then type the bellow command lines. These will backup the utilman.exe file which launches the virtual keyboard and other accessibility tools in the logon screen, then copy the cmd.exe file and renames it to utilman.exe. This way when we click the virtual keyboard from the logon screen it will launch the command prompt.
cd c:\windows\system32 ren utilman.exe utilman.exe.bak copy cmd.exe utilman.exe
Reboot the domain controller and once it is up click on the Ease of access button.
Now all we need to do to reset the domain admin password is type:
net user <domain account> <new password>
Close the command prompt window and log in using the new password. It should work with no problems.
Now that we can login in, we need to revert the changes we’ve made to the system, and that’s putting the utilman.exe back to its place. Open a command prompt (as Administrator), go to C:\Windows\System32 and type:
del utilman.exe ren utilman.exe.bak utilman.exe
If you get an Access denied message while running the last line of command, you need to change the ownership of the file. Just right click it, go to the Security tab then click Advanced. In the Advanced Security Settings window click the Change link then type the new owner (you can also put a security group in here). Once you’re done with this don’t forget to give the new owner permissions to the file.
The method works great, but remember, these are domain controllers, and domain controllers need a higher security then the rest of the systems, or the all network can be compromised. To go beyond physical security, we can create a GPO and add a registry value to our domain controllers to disable the Ease of access button. This way the utilman.exe file can’t be launched anymore, even when it’s replaced or its signature changes. Now there are many options to disable the button, but I found the bellow one more easy and more compatible with Group Policy.
[important]Note that this method just disables the button functionality, so in case utilman.exe is replaced it can’t be launched. It does not however hide the Ease of access button from the logon screen.[/important]
Go ahead and create a GPO, name it, link it to the Domain Controllers container then right-click it and choose Edit.
Go to Computer Configuration > Preferences > Windows Settings > Registry and create a new Registry Item.
From the Hive drop-down-box choose HKEY_LOCAL_MACHINE and in the Key Path box type SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe. Now we need to provide the values for the registry key. In the Value name box type Debugger and in the Value data box type systray.exe then choose REG_SZ from the Value type drop-down-box. Click OK when done.
All we need to do now is wait for the policy to take effect, or if you are an impatient person you can force this using the gpupdate /force command. Now if we go and click the Ease of access button from the log on screen nothing should happen, no keyboard or color options should be displayed.
This is a great method to reset you domain admin password, but it can also be a security breach. I recommend you do implement the policy in production to block the Ease of access button to further increase the protection on your domain controllers, but never forget the physical security also.
Want content like this delivered right to your
email inbox?
Worked great, thought I was screwed with this domain controller.
Great article, thanks for the trick.
Thanks for passing by…