Solved

Sam Files

Posted on 2004-09-19
9
355 Views
Last Modified: 2013-12-04
I have a small issue where I work.  The company I work for recently fired the desktop support guy (the only one for the building), and as such, he took with him the password for admin accounts on the local machine.  It gets more difficult too.  We use a variety of Win 2000/xp machines.  In addition to this, he not only had more than one password, but a variety of the same passwords.  He also removed the domain group so that a simple push cannot be made to reset it.  What are your recommended solutions for the expeditious recovery of the passwords from the sam files.
0
Comment
Question by:myomoto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 85

Expert Comment

by:oBdA
ID: 12095881
Do you still have the domain administrator logon?
0
 
LVL 32

Expert Comment

by:LucF
ID: 12095884
Hi myomoto,

There's no need in your case to recover the Administrator password, what you need is a way to reset the password, here's a list of tools to do so: http:Q_20723476.html
Full walkthrough can be found at PeteLong's site: http://www.petenetlive.com/Tech/Windows/WinGen/passwordrecovery.htm

Greetings,

LucF
0
 
LVL 1

Author Comment

by:myomoto
ID: 12095887
I am setup as basically a power user.  I know I can use the domain administrator but I'd like to steer away from that if possible.  200+ machines I'd have to do this on.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 85

Accepted Solution

by:
oBdA earned 500 total points
ID: 12095979
Assuming you have the W2k Resource Kit (namely local.exe, getsid.exe, cusrmgr.exe), this script will do the trick.
It will rename the built-in local Administrator account on a given machine or  list of machines (they might have been renamed), and it will change the password. While it's at it, it will give you a list of other accounts or groups that are in the local Administrators group.
The script is currently in test mode (note the setting at the beginning), so you can do a trial run.

====8<----[RenBIAdmin.cmd]----
@echo off
setlocal
:: *** renbiadmin.cmd
:: *** Renames the built in administrator account of the specified machine and changes the password
:: *** Necessary external tools (from the W2k Resource Kit): local.exe, getsid.exe, cusrmgr.exe
:: *** New name of the built-in administrator account:
set NewAdmin=LocalAdmin
:: *** New password of the built-in administrator account:
set NewPassword=secret
:: *** "set Test=echo" (without quotation marks) for testing purposes,
:: *** "set Test=" (without quotation marks) to get serious
:: *** in test mode, it will do everything as usual, but it will neither
:: *** rename the account nor change the password.
set Test=echo
:: *** Localization; the name of the Local Administrators Group:
set AdminGroup=Administrators
:: *** List the Administrator's SID (TRUE to enable, empty or FALSE to disable):
set EnableSID=FALSE
:: *** (path and) name of the log file:
set LogFile=%~n0.log
:: *** (path and) name of the file with failed machine names:
set FailedFile=%~n0.txt

:: *** Built-in System Administrator RID (Default: 500):
set BIAdminRID=500
:: *** Admin share (used to verify administrative credentials):
set AdminShare=C$

if %1.==. goto Syntax
if exist "%FailedFile%" del "%FailedFile%"
(echo Machine Name;Local Admins;Built-in Admin;Other Admins;Return Code "Rename";Return Code "New Password")>"%LogFile%"
echo ======================================================================
if /i not %1.==/L. goto process
if %2.==. goto Syntax
set ListFile=%2
if not exist %ListFile% (
  echo Error: The list file does not exist.
  goto leave
)
for /f %%a in ('type %ListFile%') do call :process %%a
goto leave

:process
set Machine=%1
set BuiltinAdmin=
set LocalAdmins=
set OtherAdmins=
set Failed=
:: *** check if remote machine is alive:
ping -n 1 %Machine% | find "TTL" >NUL
if errorlevel 1 (
  set Machine=%Machine% [failed: not responding]
  set BuiltinAdmin=[skipped]
  set LocalAdmins=,[skipped]
  set OtherAdmins=,[skipped]
  set RCRename=[skipped]
  set RCNewPass=[skipped]
  set Failed=%Machine%
  goto log
)
:: *** check for administrative privileges on the remote machine:
net use \\%Machine%\%AdminShare% 1>NUL 2>NUL
if errorlevel 1 (
  set Machine=%Machine% [failed: access denied]
  set BuiltinAdmin=[skipped]
  set LocalAdmins=,[skipped]
  set OtherAdmins=,[skipped]
  set RCRename=[skipped]
  set RCNewPass=[skipped]
  set Failed=%Machine%
  goto log
)
net use \\%Machine%\%AdminShare% /delete 1>NUL 2>NUL

:: *** Check for the local built-in administrator account:
:CheckAdmins
for /f "tokens=1* delims=\" %%a in ('local %AdminGroup% \\%Machine%') do (
  set CheckDomain=%%a
  set CheckAdmin=%%b
  call :FindBuiltIn
)

:: *** Check if the built-in account was found:
if "%BuiltinAdmin%"=="" (
  set BuiltinAdmin=[undetermined]
  set RCRename=[skipped]
  set RCNewPass=[skipped]
  set Failed=%Machine%
  goto log
)

:: *** Check if the built-in account already has the correct name:
if /i "%BuiltinAdmin%"=="%NewAdmin%" (
  set RCRename=[skipped: name ok]
  goto ChangePass
)
:: *** Rename the built-in account and save the return code:
set RCRename=
for /f "tokens=2 delims=:" %%a in ('%Test% cusrmgr -u %BuiltinAdmin% -m \\%Machine% -r %NewAdmin% ^| find /i "ERROR"') do set RCRename=%%a
if "%RCRename%"=="" set RCRename=0
:: *** Check if renaming was successful:
if %RCRename% GTR 0 (
  set RCNewPass=[skipped: couldn't rename]
  set Failed=%Machine%
  goto log
)

:ChangePass
:: *** Change the password and save the return code:
set RCNewPass=
for /f "tokens=2 delims=:" %%a in ('%Test% cusrmgr -u %NewAdmin% -m \\%Machine% -P %NewPassword% ^| find /i "ERROR"') do set RCNewPass=%%a
if "%RCNewPass%"=="" set RCNewPass=0
if %RCNewPass% GTR 0 set failed=%Machine%
goto log

:: **********************************************************************
:: *** Subroutines:
:FindBuiltIn
:: *** Check if the account to be tested is a local one; if not, save it and return:
if /i not "%CheckDomain%"=="%Machine%" (
  set OtherAdmins=%OtherAdmins%,%CheckDomain%\%CheckAdmin%
  goto :eof
)

:: *** Get the administrator's SID of the remote machine:
for /f "tokens=7 skip=2" %%a in ('getsid \\%Machine% %CheckAdmin% \\%Machine% %CheckAdmin%') do set SID=%%a
:: *** Get the Relative Identifier:
for %%a in (%SID:-= %) do set RID=%%a
set LocalAdmins=%LocalAdmins%,%CheckAdmin%
if /i "%EnableSID%"=="TRUE" set LocalAdmins=%LocalAdmins% {%SID%}
if "%RID%"=="%BIAdminRID%" set BuiltinAdmin=%CheckAdmin%
goto :eof

:Syntax
echo.
echo renbiadmin.cmd
echo.
echo Renames the built-in administrator account ^(independently of its current name^)
echo of a given machine or a list of machines and resets the password.
echo Creates a ";"-separated logfile and a list of machines where renaming or
echo password change wasn't successful.
echo If run in test mode, no renaming/password change is done.
set TM=ON&if .%Test%.==.. set TM=OFF
echo New Admin:     %NewAdmin%
echo Logfile:       %LogFile%
echo "Failed" list: %FailedFile%
echo     Attention: Rename this file before using it as machine list with /L!
echo                The file will be deleted/recreated when running the script.
echo Test mode:     %TM%
echo.
echo Syntax:
echo renbiadmin { ^<machine^> ^| /L ^<list^> }
echo ^<machine^>: Renames the administrator account of ^<machine^>.
echo /L ^<list^>: Renames the administrator account of all machines in ^<list^>
echo            (one name per line).
goto leave
:: **********************************************************************

:log
set LocalAdmins=%LocalAdmins:~1%
if "%OtherAdmins%"=="" set OtherAdmins=,[none]
set OtherAdmins=%OtherAdmins:~1%
(echo %Machine%;%LocalAdmins%;%BuiltinAdmin%;%OtherAdmins%;%RCRename%;%RCNewPass%)>>"%LogFile%"
if not "%Failed%"=="" (echo %Failed%)>>"%FailedFile%"
echo Machine:        %Machine%
echo Local Admins:   %LocalAdmins%
echo Built-in Admin: %BuiltinAdmin%
echo Other Admins:   %OtherAdmins%
echo RC Rename:      %RCRename%
echo RC Password:    %RCNewPass%
echo ======================================================================

:leave
====8<----[RenBIAdmin.cmd]----
0
 
LVL 1

Author Comment

by:myomoto
ID: 12096274
well as it turned out, i found a copy of ERD commander 2002, and will give this a try first.  If it doesnt work, than i'll give your suggestions a try.  Thank you for your speedy replies!  Even if it works, you both have my vote to split the points.
0
 

Expert Comment

by:FF1337
ID: 12148545
the fast way is boot it with an ntfs dos boot disk, then delete the sam files and reboot.
and u got the administrator password as black
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question