Community Pick: Many members of our community have endorsed this article.

Resetting Forgotten Domain Administrator Password

Batuhan CetinCIO
CERTIFIED EXPERT
Published:
Updated:
by Batuhan Cetin

Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home. It is common that we forget some of them. One of the most frustrating things is we sometimes forget critical information which we did not write down on a piece of paper because it is critical! Domain administrator password is one of this kind. This article will guide you through the steps to reset the domain administrator password. Oh don't forget the milk, if you do, noone can help you to recover the damage that your wife will cause to your brain.

Please note that I have tested this in a test environment and personally seen that it worked. Changing the domain administrator password may cause some services in your environment to fail because of the password mismatch. Consider changing the password of all services or software that uses domain administrator account to operate. I do not take any responsibility of any damage caused to your system when following this article. However, if you have problems regarding this, I will gladly help you in EE forums.

We will be using the "INSTSRV SRVANY" command tool provided in Windows Server 2003 Resource Kit. You can download the resource kit here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en

In this scenario, we will assume that our forgotten password is "Experts1" and we will be replacing it with "ExpertsReset1"

Prerequisites:

We must have access to a domain controller using its local administrator password,
We must download the resource kit and extract it to a folder.

I recommend extracting it to System32 folder or copy the cmd.exe from System32 folder and paste it to the folder you extracted the tools. This way you will not have to bother with paths.

I have created a folder named ResetPassword at the root of "C:" drive and extracted the tools there. I also copied cmd.exe to that location. Please modify the paths and names through the article for your environment.

The logic here is to create and modify a service that will automatically start and change the domain administrator password on next restart.

1) First, we will need to restart the domain controller. While the restart process, press F8 to bring up the Windows Advanced Options menu. Choose "Directory Services Restore Mode (Windows domain controllers only)". Note that the Active Directory is disabled in this mode and no modifications can be made on it. This mode is for resolving issues about Directory Service Database and restoring. Access the console by providing the local administrator credentials.

2) Open a command prompt and navigate to the ResetPassword folder. Run the SRVANY tool with INSTSRV in command prompt:

INSTSRV PasswordReset SRVANY.exe

C:\ResetPassword>INSTSRV PasswordReset SRVANY.exe
                      
                      The service was successfully added!
                      
                      Make sure that you go into the Control Panel and use 
                      the Services applet to change the Account Name and 
                      Password that this newly installed service will use 
                      for its Security Context.

Open in new window


The PasswordReset string in this command can be anything you like. It is just to identify the keys and services created by the tool. Hereafter, this string will be used as PasswordReset that means you will need to replace the paths in the article if you modify the string.

3) Open regedit and navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PasswordReset

In the right pane, right click an open area and click New > Key and name it as Parameters. Now navigate to the new Parameters key from the left pane.

4) Right click on the right pane and click New > String Value and name it as Application. Double click on Application, write C:\ResetPassword\cmd.exe in the Value data field and click OK.

5) Again right click and create a new String value by clicking New > String value. Name it as AppParameters. Double click it, write /k net user administrator ExpertsReset1 and clik OK. Remember that "ExpertsReset1" will be our new domain administrator password.

Now that we created these keys:

Name: Application
Type: REG_SZ (string)
Value: C:\ResetPassword\cmd.exe

Name: AppParameters
Type: REG_SZ (string)
Value: /k net user administrator ExpertsReset1

6) Now we will check if our service is created. Go to Services snap-in by either services.msc Run command or by going to Control Panel > Administrative Tools > Services. Check the list for the PasswordReset service. Right click the service and click Properties. Make sure that the Startup type is set to Automatic.

7) Navigate to Log On tab and tick the Allow service to interact with desktop checkbox.

8) Click Apply, then OK.

9) If you are sure that you have done everything right, restart the server in normal mode. Your password will reset in the startup process. You may get a command prompt that says "The command completed successfully" for the first time you logon.

10) Now let's remove the tool and the service we created to prevent any security risks. To do this, we must first stop the service and remove it. Open a command prompt and run:

net stop PasswordReset
sc delete PasswordReset

C:\>net stop PasswordReset
                      
                      The PasswordReset service was stopped successfully
                      
                      C:\>sc delete PasswordReset
                      [SC] DeleteService SUCCESS

Open in new window


11) Remove the ResetPassword folder you created which includes the tools to recreate this service.

See you in another article.
5
6,527 Views
Batuhan CetinCIO
CERTIFIED EXPERT

Comments (2)

CERTIFIED EXPERT
Top Expert 2005

Commented:
Gentlemen,

This is a great article and an issue that I have been asked about on numerous occassions.  

I would like to point out an area I feel is in need of clarification.

Under Prerequisites, you state, "We must have access to a domain controller using its local administrator password,"  I feel this statement requires clarification for several reasons (and I mention them only because from an inexperienced Admin the terminology can be very unclear) stated below:

1)  During the promotion of the first server in an organization to a Domain Controller, the local Administrator account and password become the Active Directory Administrator account and password.  This account is part of Domain Admins, Schema Admins, Enterprise Admin, etc. by the process of DCPROMO.  
2)  Unless specified directly, the "local" Admin password is NOT necessarily the same.  The DSRM (Directory Services Restore Mode) password can be set independently of the newly converted Admin account.
3)  By default, the AD Administrator password is not used (nor allowed) to be used to log in during DRSM mode unless specifically set in the Default Domain Policy.

I believe it is important to mention that what was once perceived as the local Administrator password may not work if it wasn't set the same during DCPROMO on that server.  Subsequent servers that are promoted to DCs will also require a DRSM password which is independent of any other previous DC’s DRSM password unless specifically set identical.

Otherwise, this article is perfect.

Paul
IT GuySys Admin/Windows Admin

Commented:
Does this also work for Server 2012 R2?

Or what is the process for resetting a Forgotten Domain Administrator Password within Server 2012 R2?

What online resources or Experts Exchange articles or solutions discuss this?

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.