Randy Wake
asked on
Domain Admin Password Recovery
A mailicious individual somehow logged into our domain controller and changed the domain administrator password and administrator account username. Currently, we discovered what the domain admin username is but still cannot log into the domain controller. There are no domain admins. All domain admins were removed from membership. Is there a way to log into the server and not have to rebuild a new one? There is no full backup of the DC.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It worked on my issue several years back and a DC (domain controller) does not have a "local admin"; you cannot logon to it other than with a domain user (domain\username). Unlike other non DC servers you can logon locally and with a domain user. There is also another multi-boot USB I use that provide additional password cracker options, but I have not tested these. (http://www.pendrivelinux.com/yumi-multiboot-usb-creator/) so if you know yours works it may be worth the cost in terms of time.
OK thanks
It was some time ago that I sorted this and it was SBS2003
I also tried parts of this article
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
Seems to indicate it will work for a DC but you do need to be able to login with admin rights?
Hence my confusion
Don't want the questioner paying out un-necessarily so the other options may be worth a look
As you say the main thing is to ensure the bad guys do not get back in again
It was some time ago that I sorted this and it was SBS2003
I also tried parts of this article
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
Seems to indicate it will work for a DC but you do need to be able to login with admin rights?
Hence my confusion
Don't want the questioner paying out un-necessarily so the other options may be worth a look
As you say the main thing is to ensure the bad guys do not get back in again
ASKER
We ended up rebuilding the server and restoring data from a backup. What a nightmare! Thanks all for your recommendations and suggestions for solutions.
Did you ever discover what caused it ?
Also check they do not have any remote agents installed such as Kasaya,logmein,etc
If you have Microsoft RDP enabled change it to a non-standard listening port.
(Update your firewall accordingly)
Lionelmm - a query ?
Does that work for the domain admin password or just the local admin
I did a job like this a long while ago now
(Russian criminals hacked an sbs server)
vaguely remember going down the route you suggest and it was ok for local server login but not domain admin - Hence using the stellar product ( albeit a purchase )
Not on commission btw :-)
Apologies if I am incorrect on this