Solved

Sam Files

Posted on 2004-09-19
9
348 Views
Last Modified: 2013-12-04
I have a small issue where I work.  The company I work for recently fired the desktop support guy (the only one for the building), and as such, he took with him the password for admin accounts on the local machine.  It gets more difficult too.  We use a variety of Win 2000/xp machines.  In addition to this, he not only had more than one password, but a variety of the same passwords.  He also removed the domain group so that a simple push cannot be made to reset it.  What are your recommended solutions for the expeditious recovery of the passwords from the sam files.
0
Comment
Question by:myomoto
9 Comments
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
Do you still have the domain administrator logon?
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Hi myomoto,

There's no need in your case to recover the Administrator password, what you need is a way to reset the password, here's a list of tools to do so: http:Q_20723476.html
Full walkthrough can be found at PeteLong's site: http://www.petenetlive.com/Tech/Windows/WinGen/passwordrecovery.htm

Greetings,

LucF
0
 
LVL 1

Author Comment

by:myomoto
Comment Utility
I am setup as basically a power user.  I know I can use the domain administrator but I'd like to steer away from that if possible.  200+ machines I'd have to do this on.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
Assuming you have the W2k Resource Kit (namely local.exe, getsid.exe, cusrmgr.exe), this script will do the trick.
It will rename the built-in local Administrator account on a given machine or  list of machines (they might have been renamed), and it will change the password. While it's at it, it will give you a list of other accounts or groups that are in the local Administrators group.
The script is currently in test mode (note the setting at the beginning), so you can do a trial run.

====8<----[RenBIAdmin.cmd]----
@echo off
setlocal
:: *** renbiadmin.cmd
:: *** Renames the built in administrator account of the specified machine and changes the password
:: *** Necessary external tools (from the W2k Resource Kit): local.exe, getsid.exe, cusrmgr.exe
:: *** New name of the built-in administrator account:
set NewAdmin=LocalAdmin
:: *** New password of the built-in administrator account:
set NewPassword=secret
:: *** "set Test=echo" (without quotation marks) for testing purposes,
:: *** "set Test=" (without quotation marks) to get serious
:: *** in test mode, it will do everything as usual, but it will neither
:: *** rename the account nor change the password.
set Test=echo
:: *** Localization; the name of the Local Administrators Group:
set AdminGroup=Administrators
:: *** List the Administrator's SID (TRUE to enable, empty or FALSE to disable):
set EnableSID=FALSE
:: *** (path and) name of the log file:
set LogFile=%~n0.log
:: *** (path and) name of the file with failed machine names:
set FailedFile=%~n0.txt

:: *** Built-in System Administrator RID (Default: 500):
set BIAdminRID=500
:: *** Admin share (used to verify administrative credentials):
set AdminShare=C$

if %1.==. goto Syntax
if exist "%FailedFile%" del "%FailedFile%"
(echo Machine Name;Local Admins;Built-in Admin;Other Admins;Return Code "Rename";Return Code "New Password")>"%LogFile%"
echo ======================================================================
if /i not %1.==/L. goto process
if %2.==. goto Syntax
set ListFile=%2
if not exist %ListFile% (
  echo Error: The list file does not exist.
  goto leave
)
for /f %%a in ('type %ListFile%') do call :process %%a
goto leave

:process
set Machine=%1
set BuiltinAdmin=
set LocalAdmins=
set OtherAdmins=
set Failed=
:: *** check if remote machine is alive:
ping -n 1 %Machine% | find "TTL" >NUL
if errorlevel 1 (
  set Machine=%Machine% [failed: not responding]
  set BuiltinAdmin=[skipped]
  set LocalAdmins=,[skipped]
  set OtherAdmins=,[skipped]
  set RCRename=[skipped]
  set RCNewPass=[skipped]
  set Failed=%Machine%
  goto log
)
:: *** check for administrative privileges on the remote machine:
net use \\%Machine%\%AdminShare% 1>NUL 2>NUL
if errorlevel 1 (
  set Machine=%Machine% [failed: access denied]
  set BuiltinAdmin=[skipped]
  set LocalAdmins=,[skipped]
  set OtherAdmins=,[skipped]
  set RCRename=[skipped]
  set RCNewPass=[skipped]
  set Failed=%Machine%
  goto log
)
net use \\%Machine%\%AdminShare% /delete 1>NUL 2>NUL

:: *** Check for the local built-in administrator account:
:CheckAdmins
for /f "tokens=1* delims=\" %%a in ('local %AdminGroup% \\%Machine%') do (
  set CheckDomain=%%a
  set CheckAdmin=%%b
  call :FindBuiltIn
)

:: *** Check if the built-in account was found:
if "%BuiltinAdmin%"=="" (
  set BuiltinAdmin=[undetermined]
  set RCRename=[skipped]
  set RCNewPass=[skipped]
  set Failed=%Machine%
  goto log
)

:: *** Check if the built-in account already has the correct name:
if /i "%BuiltinAdmin%"=="%NewAdmin%" (
  set RCRename=[skipped: name ok]
  goto ChangePass
)
:: *** Rename the built-in account and save the return code:
set RCRename=
for /f "tokens=2 delims=:" %%a in ('%Test% cusrmgr -u %BuiltinAdmin% -m \\%Machine% -r %NewAdmin% ^| find /i "ERROR"') do set RCRename=%%a
if "%RCRename%"=="" set RCRename=0
:: *** Check if renaming was successful:
if %RCRename% GTR 0 (
  set RCNewPass=[skipped: couldn't rename]
  set Failed=%Machine%
  goto log
)

:ChangePass
:: *** Change the password and save the return code:
set RCNewPass=
for /f "tokens=2 delims=:" %%a in ('%Test% cusrmgr -u %NewAdmin% -m \\%Machine% -P %NewPassword% ^| find /i "ERROR"') do set RCNewPass=%%a
if "%RCNewPass%"=="" set RCNewPass=0
if %RCNewPass% GTR 0 set failed=%Machine%
goto log

:: **********************************************************************
:: *** Subroutines:
:FindBuiltIn
:: *** Check if the account to be tested is a local one; if not, save it and return:
if /i not "%CheckDomain%"=="%Machine%" (
  set OtherAdmins=%OtherAdmins%,%CheckDomain%\%CheckAdmin%
  goto :eof
)

:: *** Get the administrator's SID of the remote machine:
for /f "tokens=7 skip=2" %%a in ('getsid \\%Machine% %CheckAdmin% \\%Machine% %CheckAdmin%') do set SID=%%a
:: *** Get the Relative Identifier:
for %%a in (%SID:-= %) do set RID=%%a
set LocalAdmins=%LocalAdmins%,%CheckAdmin%
if /i "%EnableSID%"=="TRUE" set LocalAdmins=%LocalAdmins% {%SID%}
if "%RID%"=="%BIAdminRID%" set BuiltinAdmin=%CheckAdmin%
goto :eof

:Syntax
echo.
echo renbiadmin.cmd
echo.
echo Renames the built-in administrator account ^(independently of its current name^)
echo of a given machine or a list of machines and resets the password.
echo Creates a ";"-separated logfile and a list of machines where renaming or
echo password change wasn't successful.
echo If run in test mode, no renaming/password change is done.
set TM=ON&if .%Test%.==.. set TM=OFF
echo New Admin:     %NewAdmin%
echo Logfile:       %LogFile%
echo "Failed" list: %FailedFile%
echo     Attention: Rename this file before using it as machine list with /L!
echo                The file will be deleted/recreated when running the script.
echo Test mode:     %TM%
echo.
echo Syntax:
echo renbiadmin { ^<machine^> ^| /L ^<list^> }
echo ^<machine^>: Renames the administrator account of ^<machine^>.
echo /L ^<list^>: Renames the administrator account of all machines in ^<list^>
echo            (one name per line).
goto leave
:: **********************************************************************

:log
set LocalAdmins=%LocalAdmins:~1%
if "%OtherAdmins%"=="" set OtherAdmins=,[none]
set OtherAdmins=%OtherAdmins:~1%
(echo %Machine%;%LocalAdmins%;%BuiltinAdmin%;%OtherAdmins%;%RCRename%;%RCNewPass%)>>"%LogFile%"
if not "%Failed%"=="" (echo %Failed%)>>"%FailedFile%"
echo Machine:        %Machine%
echo Local Admins:   %LocalAdmins%
echo Built-in Admin: %BuiltinAdmin%
echo Other Admins:   %OtherAdmins%
echo RC Rename:      %RCRename%
echo RC Password:    %RCNewPass%
echo ======================================================================

:leave
====8<----[RenBIAdmin.cmd]----
0
 
LVL 1

Author Comment

by:myomoto
Comment Utility
well as it turned out, i found a copy of ERD commander 2002, and will give this a try first.  If it doesnt work, than i'll give your suggestions a try.  Thank you for your speedy replies!  Even if it works, you both have my vote to split the points.
0
 

Expert Comment

by:FF1337
Comment Utility
the fast way is boot it with an ntfs dos boot disk, then delete the sam files and reboot.
and u got the administrator password as black
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now