Solved

Lost Local Administrator Password on Windows 2008 R2 (Standard OS)

Posted on 2011-09-21
27
1,041 Views
Last Modified: 2012-05-12
Hi,

We've lost the local administrator account password on our Windows 2008 R2 server. No problem to access the domain admin account, although it doesn't have local admin rights on the server itself. It's come to light because we need to do something low level with a printer installed locally at the server.

Any ideas how we might recover this, either by using 3rd party software or perhaps elevating the permissions of the domain admin account to then allow us to change the local admin password?
 

Thanks in advance
Iain
0
Comment
Question by:iaing1000
  • 10
  • 7
  • 5
  • +2
27 Comments
 

Author Comment

by:iaing1000
ID: 36574722
Hi,

Thanks, will have a look, should this work for local admin on a Windows 2008 R2 Server?

All the best
Iain
0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 36574797
In normal cases you are able to change the local username's password if you are logged in as domain administrator, have you tried it?
0
 
LVL 5

Expert Comment

by:andrewmcc
ID: 36575502
Hi
Have you tried using the DART recovery option for Windows?
Gives you the option to do a "password lock reset" on all local user accounts.
You can download it from Microsoft directly if required.
http://www.microsoft.com/windows/enterprise/products/mdop/dart.aspx
0
 

Author Comment

by:iaing1000
ID: 36579476
Hi,

Santasi24: Haven't tried to change the local admin password yet, and not entirely sure how to do this (ie. where to do this). Any attempts to get to local users/passwords handling takes us to Active Directory or tells us that we can only use Active Directory.

andrewmcc: Haven't tried DART yet, although it might be a useful tool if we need to do this.


We're only a small IT company (3 coders!) with very little network knowledge and make do as and when we need to! Ultimately as long as we don't try anything too low level that might risk losing data or re-formatting files we'll be OK.


Thanks
Iain
0
 
LVL 4

Expert Comment

by:h3nnys
ID: 36579546
go to command promt

type net user administrator *

There you can give it a new password
0
 
LVL 4

Expert Comment

by:h3nnys
ID: 36579564
Sorry about that the command is as follows

Type net user administrator <Password>, and then press ENTER.
Note: Please replace the <Password> tag with your passwords which you want to set to administrator account
0
 

Author Comment

by:iaing1000
ID: 36579757
Hi h3nnys,

Just to be clear should I do the following?

Go to the command prompt and type the following followed by <ENTER>
C:>net user administrator "MyPass1"  

I've got a couple of questions:
1. Does this change the domain administrator password or the local administrator password?
2. Do I need single or double quotes for the password...or none at all

Can't try it just now cos out of the office, but would be useful to know this in advance,

Thanks
Iain
0
 
LVL 4

Expert Comment

by:h3nnys
ID: 36579872
here is an example

c:\net user administrator pete123 followed by enter

this will change the local admin password.

also make sure that the local admin is enabled by doing the following

c:\ net user administrator /active:yes
0
 

Author Comment

by:iaing1000
ID: 36585375
Hi,

C:>net user administrator <Password>

This changes only the Domain Administrator password. Have just tried it about 5 times and the doman password changes and the Local Administrator password is still unknown.

It is the LOCAL administrator password we are after, not the domain administrator password,

Thanks
Iain
0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 36585394
Since you are logged on, just reset the password for local administrator.

See the picture attached:

Doc3.pdf
0
 
LVL 7

Expert Comment

by:David_Hagerman
ID: 36585395
Net user should work to change the local administrator password as well but here is another tool which can be used from an administrator account

http://jdhitsolutions.com/pwdman/index.htm
0
 
LVL 4

Assisted Solution

by:h3nnys
h3nnys earned 100 total points
ID: 36585396
No it does not I use this command on a regular basis to change the local admin account, but in any case

go to computer management -> local users and groups -> users -> administrator right click and set password
0
 

Author Comment

by:iaing1000
ID: 36585416
Hi,

Thanks for getting back so quickly folks.

When in Computer Management there is no Local Users & Groups option available under System Tools in the treeview. Task Scheduler, Event Viewer, Shared Folders, Performance and Device Manager are all there but no Local Users and Groups option. Very Strange.

Any ideas what's going on,

Thanks again
Iain
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 7

Accepted Solution

by:
David_Hagerman earned 200 total points
ID: 36585476
Right click on my Computer --> manage --> then in the tree view click on Configuration and then under that you should see Local users and Groups.
0
 

Author Comment

by:iaing1000
ID: 36585616
Hi,

Just tried that (it was Computer not My Computer on our server just to mention) and clicked 'Manage'. This took me to the Server Manager and expanding Configuration gave the following options:

Task Scheduler, Windows Firewall with Advanced Security, Services, WMI Control

No option for Local Users and Groups again, which does seem odd.

Thanks
Iain
0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 36585636
Open up computer manager from your Windows 7 machine, then connect to that 2008 server, look for the local groups and users there.
0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 36585641
What flavor(2008 server) do you have?
0
 

Author Comment

by:iaing1000
ID: 36585694
Hi,

Nice idea, tried the Computer Management console from a Win 7 machine and connected into the server...but the list of options in the treeview again didn't have the Local Users & Groups.

The Server is Win 2008 R2 Standard edition.

It is running as a domain controller in case that helps, because I gather that this might prevent access to local security related options. Is it possible perhaps to reboot the server into a non domain controller mode in order make these local admin account changes and then start it up again as normal?


Thanks
Iain
0
 
LVL 7

Expert Comment

by:David_Hagerman
ID: 36585724
Sorry Iain that isn't possible.

Can you tell us what account you are logging on to the Server with. Also the the windows 7 machine have domain admins rights
0
 
LVL 4

Expert Comment

by:h3nnys
ID: 36585799
Have you tried the 3rd party tool that David_Hagerman suggested ?
0
 

Author Comment

by:iaing1000
ID: 36585806
Hi,

We're logging into the server as the domain Administrator. When connecting via the Computer Management console from another networked machine we also went in as both the domain Adminsitrator and as another user with a high level of permissions. Same result, ie we couldn't see the Local Users & Groups in the tree view when connected to the server.

When on the Win 7 machine's computer management console (before connecting to the server) we could see the local users & groups available ...but it disappeared as soon as the console connected to the server,


Thanks again
Iain
0
 
LVL 17

Assisted Solution

by:Sikhumbuzo Ntsada
Sikhumbuzo Ntsada earned 200 total points
ID: 36585819
Do this: See the PDF attached.
mmc-way.pdf
0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 36585823
Once the Local Groups appear, go and change the password.
0
 

Author Comment

by:iaing1000
ID: 36585838
Hi,

Just tried this but to no avail. I got an error message when I got as far as the 'Finish' button explaining that the machine was a domain controller and that such a snap-in could not be added because:

"This snap-in cannot be used on a domain controller. Domain accounts are managed with the Active Directory Users and Computers Snap-in"

Not sure how the local admin account can be changed using AD though?...or if there's another way around this one...

Thanks
Iain

0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 36585866
Okay back to the drawing board, what are you trying to achieve - my memory just came back, you are not able to show this info on a domain controller.

When a server is promoted to to be DC is handles all aspects of security via AD.

So you should be able to perform any task on the server as long you are logged on with Administrator account.



0
 
LVL 7

Expert Comment

by:David_Hagerman
ID: 36585896
Iain, maybe we are looking at this all wrong, what exactly are your trying to achieve with regards to the printer?

You should be able to do most things via the Domain administrator account
0
 

Author Comment

by:iaing1000
ID: 36586223
Hi,

OK, the original problem that prompted this has just been solved! Here goes:

A networked printer could not be seen by any other machines on the network when we tried to add a printer. So, because it was invisible and we knew it was there, we tried to instal it on these machines by specifying the IP address as a port, pointing the machine to this port and installing the appropriate drivers. Nothing worked.

The server machine however did have a legacy instance of this printer installed, which we tried to manipulate unsuccessfully — the idea being to share it and then allow other machines to print from the share. Basically, it wouldn't permit us access to change any of the settings of this old install, complaining that the user (domain administrator) didn't have permission; hence our requirement to log on with full local admin rights.

We started messing about with the printer via a browser to its IP address, that was a struggle itself because of passwords. Bizarrely, once we'd done this, and despite the fact that we didn't alter anything (and although the printer still can't be locally discovered by network machines) the first method described of forcing a local port to the printer IP address and installing drivers against it seemed to suddenly work. On all machines!

The latest is that all networked PCs can use this printer by this method, which is essentially what we wanted. Still have no idea what fixed it, although something might have got nudged somehow when we visited the IP addres via a browser.

I think the local admin rights thing may have been a bit of a wild goose chase (although it would be useful to know what this password is) because there doesn't seem to be anything else the domain admin can't do on that machine; the observed behaviour might have been the result of a corrupted printer install or similar.

Will split the points in due course and thanks for all the help...I certainly feel a bit better armed for AD and Domain Controllers in future,

Iain

Thanks
Iain
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Roaming Profiles 8 62
Error viewing ASP page 12 99
optimal method deal ransomware in files folders 9 62
GPO Delegation 4 16
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now