Solved

SAM FILE on recovery disk

Posted on 1998-08-31
20
339 Views
Last Modified: 2013-12-28
I have the password from the latest nt recovery disk
I run the recovery disk on a test machine, it works fine!
I tried to use the administrator logon and password, on the
machine that the recovery disk came from, but still won't let me logon?
My question is, Is there some way the sysadim  disabled the administrator account!? And is there any other way of gaining access?
He has us locked out of our own system, We can't dismiss him till we have full control, Please Help! Hurry!
0
Comment
Question by:bones030898
  • 8
  • 3
  • 3
  • +4
20 Comments
 
LVL 5

Expert Comment

by:theh95
ID: 1792119
Reinstall the NT that will give you chance enter new password and removed the old password.

0
 
LVL 1

Expert Comment

by:derosa
ID: 1792120
If partition is FAT

- Rename the files SAM.* to something other like OLDSAM.*.
    They are usually found under c:\winnt\system32\config directory.
                Ex. sam to oldsam
                    sam.log to oldsam.log
                    sam.sav to oldsam.sav
 2- Reboot the PC. Now the Administrator Password is blank.
    The previous Admin taskbar and settings may be lost but
    who cares. The User profiles should still be the same.
    I would check in User Manager that the User still is a
    member of the proper groups, ex. Power Users/Users.

If partition is NTFS you can use *NTFSDOS to mount drive from a Dos bootable diskette.

 NTFDOS available at www.sysinternals.com  
0
 
LVL 2

Expert Comment

by:ViperOne
ID: 1792121
He probably renamed his account.

Boot from the NT setup Floppies, choose "Repair" option (Hit R when prompted) en insert Emergency Repair Disc. This will replace the SAM with the one on the ERD, but also the rest of the registry. So hope he didn't change the config of your server after the last ERD-update.

Kind regards,
Simon (MCP)

PS: if you can afford to loose config, but not data, and the data is not on a stripe-set, just install a new machine with NT server, hook up the data drive, boot NT and take ownership in NT Explorer... It's that easy. Doesn't work with stripe sets, though, as they are defined in the registry...
0
 
LVL 5

Expert Comment

by:theh95
ID: 1792122
I think Derosa's comment would work too, but depent how much time do you have.  If you have enought time to wait for the package, that will be great.
0
 

Author Comment

by:bones030898
ID: 1792123
If i reinstall nt will i lose all the profiles or wiil they still be there
I need to keep all the data intact , profiles an config

0
 

Author Comment

by:bones030898
ID: 1792124
the system is ntfs
cant have the server down to long,  have about 2300 customers
depending on it.
The way I understand it you cant rename the user account
administrator, I've tried on test machine cant disable or deleate
account administrator would be willing to give 100 more points
for the right solution
I thought about reinstalling nt but affraid of losing data
like user profiles and installed sevices
also theh95 i will give the credit to you if i can have a little reassurance that i wont be left high dry whit a blank machine
Please help some more,  this is really a mess with our sysadmin!
he refuses to give any access to the machine
0
 
LVL 8

Expert Comment

by:wayneb
ID: 1792125
If the repair disk was made with rdisk you do get the security or sam database, as seen in Ms kb document. Your repair disk would have to have been made using the /s option in order to get the sam and security hives. This may not help you much but will educate you for the future.


RDISK /S and RDISK /S- Options in Windows NT
3.50 3.51 4.00 WINDOWS kbtool
The information in this article applies to:

Microsoft Windows NT Workstation version 3.5 and 3.51
Microsoft Windows NT Server version 3.5 and 3.51
Microsoft Windows NT Workstation version 4.0
Microsoft Windows NT Server version 4.0


The RDISK utility included with Windows NT version 3.5 or later has two command line options:


  RDISK /S

   -and-

  RDISK /S-

When you use the RDISK /S option, the program skips the initial Create Repair Disk? dialog box and goes directly into saving the configuration.
When you use the RDISK /S- option, the program also skips the Create Repair Disk? dialog box, saves configuration, and then the program quits.


WARNING PLEASE READ:

Both of these options also overwrite the saved SAM._ and SECURITY._ registry hives created during initial Windows NT Installation. The default administrator account and password used during Setup is all that is contained in these small files.

If you choose either of the above optional switches – Rdisk copies the entire current SAM and SECURITY database files containing ALL users and groups into the repair directory. On a domain controller containing many hundreds or even thousands of users these files can become very large which will Inhibit the ability to copy them to the emergency repair diskette (ERD).

Microsoft does not recommend using either of these switches on Windows NT Machines that have a large number of users and groups defined in user manager.

As a precaution – you should make a backup copy of the %systemroot%\repair directory to ensure you will still be able to make an emergency repair diskette after running RDISK while using one of the above switches.

Repair Disk Utility Does Not Update SAM and Security Hives
Last reviewed: March 25, 1997
Article ID: Q126464
 
The information in this article applies to:
Microsoft Windows NT Workstation version 3.5
Microsoft Windows NT Server version 3.5
Microsoft Windows NT Workstation version 3.51
Microsoft Windows NT Server version 3.51
Microsoft Windows NT Workstation version 4.0
Microsoft Windows NT Server version 4.0


SYMPTOMS
When you restore the SAM and Security hives from an updated Emergency Repair Disk, the versions that were saved when you installed Windows NT are restored.



CAUSE
Repair Disk Utility (RDISK.EXE) does not save the Windows NT Registry SAM and Security hives.



WORKAROUND
To avoid losing information in the future, use one of the following methods:

Use Windows NT Backup (NTBACKUP.EXE) and select the option to backup the Registry.
NOTE: Using NTBackup is the only supported method for creating a backup of your system registry.

-or-

Back up the Sam.* and Security.* files in the %Systemroot%\System32\Config directory.
-or-

Use Regback.exe from the correct version of the Windows NT Resource Kit for the version of NT being used.

STATUS
Microsoft has confirmed this to be a problem in Windows NT Workstation and Server versions 3.51 and 4.0. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.

 

0
 

Author Comment

by:bones030898
ID: 1792126
Thank you wayneb, an yes it was made with rdisk, but not from the command prompt? will it still have all the data for profiles
because when I run it on the test machine it lost all the usernames an passwords except administrator, but all the profiles folders was still there?
0
 
LVL 8

Expert Comment

by:wayneb
ID: 1792127
In order to have it save the user names and security hives you must use rdisk /s  the /s is for sam and security hives that will not be backed up with the /s switch.  You are in a hard place, I do not want to advice you wrong and have you do the wrong thing, I am not familar fully with repairing windows nt and having the profiles and user configs saved during the repair process.  Do you have a backup domain controller that you could promote to primary while demoting the primary to backup, then if you were to have to reinstall you could save the user names and passwords.  Do you have a tape backup or some other kind of backup you could restore after Nt was repaired or reinstalled?
Some how there must be away to pick the lock on nt and gain access to the system.  There is a utility called Getadmin that when run from an nt workstation will grant you domain admin status on the network and allow you fix your problem. But if the hotfix was installed on the server it will not work then.  You can find getadmin by doing a search on the web for getadmin.

0
 
LVL 8

Expert Comment

by:wayneb
ID: 1792128
Here is where getadmin is, or one site with it on it.
http://www.ntshop.net/security/tools/getadmin.zip
If you could gain admin rights on the system you could do something with the password, change it or something.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:bones030898
ID: 1792129
yea it has the hotfix for getadmin
it does have a tape backup but it has a lock onit to so i dont actally know what has been backed up
but if i get admin then i could maybe restore and have it fixed
that what the owner wants is to change all the admin pw's
and again thank you:)

0
 
LVL 2

Expert Comment

by:ViperOne
ID: 1792130
BTW, you CAN rename the original Admin account.

Have you tried my solution yet ???

Please let us know ASAP where that gets you, so we can take it from there.

kind regards
Simon
0
 
LVL 5

Expert Comment

by:bchew
ID: 1792131
I suggest you get a lawyer!  I think what your admin has done is illegal and could be prosecuted on criminal and/or civil grounds!  He may be very willing to help you out if faced with being arrested.
0
 
LVL 2

Expert Comment

by:mbreuker
ID: 1792132
Try l0phtcrack from
http://l0pht.com/l0phtcrack/
You just run this on a local copy of the SAM - either a repair disk or by booting with NTFSDOS, http://www.sysinternals.com/ntfs20.htm

You can find anyone's username/password this way and, unfortunately, sometimes the only way to fix the problem of a disgruntled SysAdmin.

If you can't be down long, boot with the NTFSDOS boot disk, copy the SAM Database to another location, then bring the server back up. This way you run the L0phtcrack tool on a copy of the SAM, exxtracting the needed password while the server is still online.

Good luck to you.

- Mike
0
 

Author Comment

by:bones030898
ID: 1792133
Ok one last time if i run the erd with the known pw
(that i extracted with l0phtcrack it only gave me administrator pw)
will all the other users still be there? and be able to logon
with out having  to setup all the profiles again
if i can, mbreuker answer would be accepted!
sorry for dragging this on so long
0
 
LVL 2

Expert Comment

by:mbreuker
ID: 1792134
I guess I wasn't totally clear. I suppose my suggestion was that the ERD was out of date, therefore, although you extracted the Admin password, you couldn't log in with it on the existing system. At least that was my assumption.

The idea is that without doing anything to the operational system, as that might only make matters worse, boot using NTFSDOS on the existing system to get a copy of the SAM, then extract the CURRENT Admin password, or even better, the password for the username of the idiot Administrator (i.e. most Administrators set their own user accounts with Admin rights) as opposed to the Admin password you got from the potentially outdated ERD, and log in as Administrator or idiot to the current server with the newly aquired password.

As long as you don't do anything to the NT server, if you log in as Administrator, you should see all of the user accounts as they were before you were locked out with all profiles, etc. intact. If the Administrator was more malicious than just changing the Administrator password - i.e. he deleted or changed user accounts around, etc. - then you need will need to take additional steps.

For instance:
If he changed user passwords or deleted user accounts then you will need to restore from the ERD or recreate the user accounts (and reset NTFS permissions since the new user account will have a new SID).
If he deleted or otherwise harmed critical files, you may need to restore from your last "trusted" backup
If he screwed with NTFS permissions or changed application settings, again - you may need to do a combination of the above.

Of course legal action, as suggested by bchew,  is always a good recourse. If the administrator has caused harm to your company, he CAN be held legally liable and fear of this may force cooperation. The problem is he knows the system better than you know the system so even if you "break in" you may have more problems than you bargained for. I am an experienced administrator and have taken over servers from other admins in the past and, unfortunately, in all but one case, I reloaded NT from scratch and now, even in the one case I didn't reload, I am now (2 years later) finding an unresolvable problem that makes me wish I had. Cooperation from the admin is the only way to avoid additional hassle.


0
 

Author Comment

by:bones030898
ID: 1792135
thank u mbreuker
thats what i needed to know
submit answer and u got it 300 points
0
 

Author Comment

by:bones030898
ID: 1792136
PS  the erd will change the admin pw back to the known one right
0
 
LVL 2

Accepted Solution

by:
mbreuker earned 300 total points
ID: 1792137
In response to your last question - Yes the ERD SHOULD restore the SAM, therefore the Admin account and password, but as I said, rather than change the current system by restoring a potentially outdated registery and possibly harming the system, try cracking the current password using the methods I have provided and DO try to login using the actual username of your administrator as a backup just in case the Admin account is renamed or something silly like that. Second option is to restore from ERD disk and lastly to re-install NT.

P.S. Until you get everything back under your control - physically disconnect any modem or phone lines from the box if there are any. You never know. . .
0
 

Author Comment

by:bones030898
ID: 1792138
Adjusted points to 300
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Update 11/3/2014 - Although the below article will get you to relocate the WINSXS folder, Microsoft has finally released a utility to reduce the size of the WINSXS folder. For some reason, it's not that straightforward. It only works on Windows 2008…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now