Locked out of a server after resetting account

[OverWorked]

Help,

I've reset the account of one of my servers (Server 2003) in AD and now can't logon to it with the domain admin account. I can't logon to it as a local admin either because the local admin account is disabled ("Your account has been disabled").

Is there any way round this? I suspect there isn't. Is there any way of enabling the local admin account from GP (but then if the server can't authenticate with the domain this probably won't work either).

The server isn't vital. It was just running ISA Server as the firewall, so I could easily rebuild it if I needed to, and I'm going to scrap it soon when we move to Smoothwall.

Any help would be appreciated. Thanks.

[FragglePete]

As long as it's not a DC, you can use the Offline NT Password Reset utility which comes on The Ultimate Boot CD which you can download freely. This should enable you to un-disable the local admin account and reset it's password.

Should work ok, I'm sure I've done it on a W2K3 server before with no problems. Follow the instructions carefully!

However, little concerned you don't know/lost/forgotten the Domain Admin account.

Best of luck

Pete

[Jona]

Seconded try ultimateboot cd - http://www.ultimatebootcd.com/ a good as FragglePete said.

[j17sparky]

Can you login with any domain accounts? if so you could elivate the priviledges of any user to a point where you can reset the applicable passwords.

No hes deleted the computer account.

As said theres plenty of boot CDs to try, google it.

[Jona]

No hes deleted the computer account.

As said theres plenty of boot CDs to try, google it.

My bad, read the post in a hurry.

Cheers
Jona

[FN-GM]

If it is a member server, if you boot into safemode you will be able to login the local administrator. (it will enable them for safemode).

Z

[sahmeepee]

As long as it's not a DC, you can use the Offline NT Password Reset utility...

This did get me thinking...

I've luckily never had to get back into a DC which has been locked out. The password reset tool has no chance in that scenario because there's no local account database on a DC for it to tinker with (or there is one, but it can't work its magic on it).

Other than an AD restore I'm not sure what can be done to recover a DC in this situation. You can fix the domain admin password if you have the local admin password for the DC (aka the directory services restore mode password) with this method:

http://www.nobodix.org/seb/win2003_adminpass.html

but what happens if you don't have that password? I can imagine a situation where the DCs were installed a long time in the past and the local admin passwords aren't what you thought! (if you aren't sure of yours, the password can be changed whilst you have control of the DC with method #4 on this page)

Of course I wouldn't advise only having one domain admin account, but I do wonder if there's a way out of the predicament... just a hypothetical scenario to tool myself up for the apocalypse!

[FN-GM]

Are you in a multiple domain forest? An enterprise administrator will be able to reset your password. Im surprised you haven't made a personal account for yourself in the event of this happening.

[OverWorked]

If it is a member server, if you boot into safemode you will be able to login the local administrator. (it will enable them for safemode).

Z

Thanks for the suggestions. Safe mode had crossed my mind - I'll try it in the morning. If that doesn't work, I'll try the UBCD.

I haven't forgotten the domain admin account's password (if I had, I'd be more than concerned - I'd go to the nearest pub and not return), and having more than one domain admin account wouldn't help in this case. I've just reset the computer account for that machine in ADUC, which for any machine stops domain accounts authenticating from it.

As it's a member server, the local account gets disabled when it's joined to the domain. Then if you reset or delete the computer's account, like I have, you're stuck with no way of logging on..

I reset the account when I put Smoothwall in it's place with the same name (though I now know I didn't need to). I've just had to put the old ISA Server back while I do some work on the Smoothwall. I hope to get rid of it (the ISA Server) soon anyway.

It's working happily as a firewall, even though it's orphaned from the domain. I just can't logon to the thing. I'm not too bothered.

Thanks again for the suggestions.

[Michael]

As it's a member server, the local account gets disabled when it's joined to the domain. Then if you reset or delete the computer's account, like I have, you're stuck with no way of logging on..

To my knowledge this isn't correct. Member servers do still allow you to logon locally using the default Administrator account (for example). Only Domain Controllers disable local accounts, so clicking the 'Log on to' drop down menu only displays the domain itself.

There's no need to go into Safemode if it's a member server, you can logon using a local Administrator account, then re-join the domain this way.

[deanc]

probably has the domain security policy to disable the local admin account.

Dean

[Michael]

That's possible deanc, meaning you'd have no choice but to re-build the server from a backup. I've never used this policy. Creating a strong password (from the beginning) is the much better alternative for situations like these!

[OverWorked]

Safe mode fixed it.

Booted twice into safe mode with networking temporarily enabled the local admin account for those sessions. First safe mode boot, removed from domain. Reset computer account in AD. Second safe mode boot, rejoined domain. Voilą! Domain admin account able to login to firewall again.

I just did that to reassure myself it was possible. As soon as it was fixed, I whipped it out and put the Smoothwall back in.

The local admin account was definitely disabled when booting in 'normal' mode. Error message saying the account was disabled. Having said that, I didn't look at the account in the control panel before I took it offline.

[OverWorked]

probably has the domain security policy to disable the local admin account.

Dean

Yes, that's probably it. I didn't look at this option because changing the policy to re-enable it wouldn't have worked as the machine was orphaned from the domain. I've just looked round and can't find the setting. I'll leave it for now. Thanks.

[FN-GM]

Glad you got it sorted. I have had something similar to you a while back. It's easy when you know how.