+ Post New Thread
Results 1 to 15 of 15
Windows Thread, Locked out of a server after resetting account in Technical; Help, I've reset the account of one of my servers (Server 2003) in AD and now can't logon to it ...
  1. #1
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,014
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30

    Red face Locked out of a server after resetting account

    Help,

    I've reset the account of one of my servers (Server 2003) in AD and now can't logon to it with the domain admin account. I can't logon to it as a local admin either because the local admin account is disabled ("Your account has been disabled").

    Is there any way round this? I suspect there isn't. Is there any way of enabling the local admin account from GP (but then if the server can't authenticate with the domain this probably won't work either).

    The server isn't vital. It was just running ISA Server as the firewall, so I could easily rebuild it if I needed to, and I'm going to scrap it soon when we move to Smoothwall.

    Any help would be appreciated. Thanks.

  2. #2

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    885
    Thank Post
    277
    Thanked 139 Times in 112 Posts
    Blog Entries
    27
    Rep Power
    42
    As long as it's not a DC, you can use the Offline NT Password Reset utility which comes on The Ultimate Boot CD which you can download freely. This should enable you to un-disable the local admin account and reset it's password.

    Should work ok, I'm sure I've done it on a W2K3 server before with no problems. Follow the instructions carefully!

    However, little concerned you don't know/lost/forgotten the Domain Admin account.

    Best of luck

    Pete

  3. #3
    Jona's Avatar
    Join Date
    May 2007
    Location
    Cranleigh
    Posts
    469
    Thank Post
    14
    Thanked 50 Times in 48 Posts
    Rep Power
    23
    Seconded try ultimateboot cd - http://www.ultimatebootcd.com/ a good as FragglePete said.
    Last edited by Jona; 20th February 2008 at 04:45 PM. Reason: irrealvent advice

  4. #4


    Join Date
    Oct 2006
    Posts
    3,412
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    Quote Originally Posted by Jona View Post
    Can you login with any domain accounts? if so you could elivate the priviledges of any user to a point where you can reset the applicable passwords.
    No hes deleted the computer account.

    As said theres plenty of boot CDs to try, google it.

  5. #5
    Jona's Avatar
    Join Date
    May 2007
    Location
    Cranleigh
    Posts
    469
    Thank Post
    14
    Thanked 50 Times in 48 Posts
    Rep Power
    23
    Quote Originally Posted by j17sparky View Post
    No hes deleted the computer account.

    As said theres plenty of boot CDs to try, google it.
    My bad, read the post in a hurry.

    Cheers
    Jona

  6. #6

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,045
    Thank Post
    888
    Thanked 1,727 Times in 1,490 Posts
    Blog Entries
    12
    Rep Power
    453
    If it is a member server, if you boot into safemode you will be able to login the local administrator. (it will enable them for safemode).

    Z

  7. Thanks to FN-GM from:

    OverWorked (21st February 2008)

  8. #7
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    34
    Quote Originally Posted by FragglePete View Post
    As long as it's not a DC, you can use the Offline NT Password Reset utility...
    This did get me thinking...

    I've luckily never had to get back into a DC which has been locked out. The password reset tool has no chance in that scenario because there's no local account database on a DC for it to tinker with (or there is one, but it can't work its magic on it).

    Other than an AD restore I'm not sure what can be done to recover a DC in this situation. You can fix the domain admin password if you have the local admin password for the DC (aka the directory services restore mode password) with this method:

    http://www.nobodix.org/seb/win2003_adminpass.html

    but what happens if you don't have that password? I can imagine a situation where the DCs were installed a long time in the past and the local admin passwords aren't what you thought! (if you aren't sure of yours, the password can be changed whilst you have control of the DC with method #4 on this page)

    Of course I wouldn't advise only having one domain admin account, but I do wonder if there's a way out of the predicament... just a hypothetical scenario to tool myself up for the apocalypse!

  9. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,045
    Thank Post
    888
    Thanked 1,727 Times in 1,490 Posts
    Blog Entries
    12
    Rep Power
    453
    Are you in a multiple domain forest? An enterprise administrator will be able to reset your password. Im surprised you haven't made a personal account for yourself in the event of this happening.

  10. #9
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,014
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30
    Quote Originally Posted by FN-Greatermanchester View Post
    If it is a member server, if you boot into safemode you will be able to login the local administrator. (it will enable them for safemode).

    Z
    Thanks for the suggestions. Safe mode had crossed my mind - I'll try it in the morning. If that doesn't work, I'll try the UBCD.

    I haven't forgotten the domain admin account's password (if I had, I'd be more than concerned - I'd go to the nearest pub and not return), and having more than one domain admin account wouldn't help in this case. I've just reset the computer account for that machine in ADUC, which for any machine stops domain accounts authenticating from it.

    As it's a member server, the local account gets disabled when it's joined to the domain. Then if you reset or delete the computer's account, like I have, you're stuck with no way of logging on..

    I reset the account when I put Smoothwall in it's place with the same name (though I now know I didn't need to). I've just had to put the old ISA Server back while I do some work on the Smoothwall. I hope to get rid of it (the ISA Server) soon anyway.

    It's working happily as a firewall, even though it's orphaned from the domain. I just can't logon to the thing. I'm not too bothered.

    Thanks again for the suggestions.

  11. #10

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    As it's a member server, the local account gets disabled when it's joined to the domain. Then if you reset or delete the computer's account, like I have, you're stuck with no way of logging on..
    To my knowledge this isn't correct. Member servers do still allow you to logon locally using the default Administrator account (for example). Only Domain Controllers disable local accounts, so clicking the 'Log on to' drop down menu only displays the domain itself.

    There's no need to go into Safemode if it's a member server, you can logon using a local Administrator account, then re-join the domain this way.

  12. #11

    Join Date
    Dec 2005
    Location
    Midlands
    Posts
    130
    Thank Post
    2
    Thanked 12 Times in 12 Posts
    Rep Power
    20
    probably has the domain security policy to disable the local admin account.

    Dean

  13. #12

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    That's possible deanc, meaning you'd have no choice but to re-build the server from a backup. I've never used this policy. Creating a strong password (from the beginning) is the much better alternative for situations like these!

  14. #13
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,014
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30
    Safe mode fixed it.

    Booted twice into safe mode with networking temporarily enabled the local admin account for those sessions. First safe mode boot, removed from domain. Reset computer account in AD. Second safe mode boot, rejoined domain. Voilą! Domain admin account able to login to firewall again.

    I just did that to reassure myself it was possible. As soon as it was fixed, I whipped it out and put the Smoothwall back in.

    The local admin account was definitely disabled when booting in 'normal' mode. Error message saying the account was disabled. Having said that, I didn't look at the account in the control panel before I took it offline.

  15. #14
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,014
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30
    Quote Originally Posted by deanc View Post
    probably has the domain security policy to disable the local admin account.

    Dean
    Yes, that's probably it. I didn't look at this option because changing the policy to re-enable it wouldn't have worked as the machine was orphaned from the domain. I've just looked round and can't find the setting. I'll leave it for now. Thanks.

  16. #15

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,045
    Thank Post
    888
    Thanked 1,727 Times in 1,490 Posts
    Blog Entries
    12
    Rep Power
    453
    Glad you got it sorted. I have had something similar to you a while back. It's easy when you know how.

SHARE:
+ Post New Thread

Similar Threads

  1. Resetting Volume at login
    By sfoord in forum Windows
    Replies: 19
    Last Post: 15th July 2010, 08:25 AM
  2. Access points need resetting
    By Outpost in forum Wireless Networks
    Replies: 7
    Last Post: 20th February 2008, 03:47 PM
  3. Teachers resetting pupil passwords
    By dave-a in forum Network and Classroom Management
    Replies: 35
    Last Post: 9th February 2008, 06:46 PM
  4. Teacher resetting student passwords only
    By shirzay in forum Network and Classroom Management
    Replies: 3
    Last Post: 18th January 2008, 10:23 PM
  5. Resetting Permissions for Student Home Folders
    By Zoom7000 in forum Windows
    Replies: 11
    Last Post: 5th December 2007, 10:33 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •