Link to home
Create AccountLog in
Avatar of Steve Marin
Steve MarinFlag for United States of America

asked on

Windows Storage Server 2003 lsass.exe can't log in after password change

Experts,

We have a 2003 storage server that we had to join to a new domain, well we failed to realize that we did not know the local admin account password to log in after the disjoin. We popped in a Trinity Rescue Kit Cd to reset/blank the password but now upon boot we get the below error, and when we try to boot into safe mode it does the same thing. What options do we have?


Avatar of tstritof
tstritof

Hi,

could you please explain what error are you referring to, I can't find anything attached to your post.

Regards,
Tomislav
Avatar of Steve Marin

ASKER

Oh snap, I dont know why the image did not post. trying again;

http://i794.photobucket.com/albums/yy221/appzattak/IMG_20101112_144545.jpg
Have you attempted system recovery or system repair? I've had a similar problem once on XP and after doing some research I've decided to wipe and rebuild the machine since there was nothing of great importance on the disk that would justify the alternate solutions.

Here are some of the solutions that were suggested:
- system recovery,
- repair install (sometimes with chkdisk applied in the process),
- reinstall (to the same folder as previous Windows installation) with creation of new admin user in the process,
- various manual procedures for recovery of sytem files - some suggested by MS (like this KB307545), some not - mostly applied with partial success.

The option you decide to follow should take into account the following:
- you were planning to move the server to a new domain in the first place, and have already taken it out of the old domain, so no user accounts or profiles on the server need to be preserved for the future,
- since this is the storage server there are probably files there that need to be salvaged - this is the most important criteria to satisfy in any solution scenario,
- the OS install itself is important only if necessary to recover the data stored on the server, and can be reinstalled or whatever as long as it doesn't compromise the possibility to recover the data,
- to ensure the possibility of recovering your data backing up the contents of your drives would be a good thing to do if not already done
- if you don't have a backup of the data and can't boot to Windows to perform a normal backup I'm guessing that this server had some kind of "hardware" redundancy (like RAID1, RAID1+0, or RAID5)
- if you do have some of the above RAID configurations you should have the option to create additional copies of your data without booting to Windows "simply" by introducing empty replacement discs into your RAID array and thus creating a copy of your server on a new set of drives - this is not a risk-free operation and I suggest that you take that path ONLY if you know EXACTLY how to do this,
- after you have your data backed up and safe, you can try doing whatever necessary on the server to gain access to the data - I suggest contacting MS support and explaining exactly how you got into the situation - however if you have time and will on your hands you can try some of the solutions above (my favorite being "inplace" reinstall of Windows).

Regards,
Tomislav
I agree that backing up first is a really good idea for this situation.

You might also consider re-running the password tool and assigning an actual password to the admin account, as it is not designed to run without one.

If that is not an option with your utility, I can dig one up for you.
Here's a brief overview of your problem, without any malfunction from the password utility there is:
(1) A service that depended on the admin creds to run, now has no permissions.

(2) The admin account is being blocked because it has no password.

(3) files needed to run were encrypted by the admin account, and changing the password has killed the hash.

If the utility coughed a furball, you might have a corrupted SID database.


Some of this might be corrected with a repair install, but not an encryption issue or a bad SID database. (might help, but no guaranties)

How to proceed is mostly dependent on the value of the data and configuration settings on the server. If the configuration and data just aren't very important to you, it's probably faster to wipe the system and re-load it.

If the data is the only important thing on the server, use a utility like clonezilla to copy the data to a separate drive before wiping. (requires an extra hard drive big enough to hold the data, and enough understanding to pick out the drive you want to copy)
ASKER CERTIFIED SOLUTION
Avatar of Steve Marin
Steve Marin
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
This was fixed by restoring a backup image of the server