Domain Admin Password Recovery

Randy Wake
Randy Wake used Ask the Experts™
on
A mailicious individual somehow logged into our domain controller and changed the domain administrator password and administrator account username. Currently, we discovered what the domain admin username is but still cannot log into the domain controller. There are no domain admins. All domain admins were removed from membership. Is there a way to log into the server and not have to rebuild a new one?  There is no full backup of the DC.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
IT System Administrator
Commented:
Lionel MMSmall Business IT Consultant
Commented:
Make sure you disconnect the server from the network until you can regain access because if someone has control of it your efforts can be twarted. . This is from ultimate boot CD (http://www.ultimatebootcd.com/) http://www.ehow.com/how_8226489_reset-password-ultimate-boot-cd.html
http://pogostick.net/~pnh/ntpasswd/
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

cpmcomputersManaging Director

Commented:
Agreed

Also check they do not have any remote agents installed such as Kasaya,logmein,etc

If you have Microsoft RDP enabled change it to a non-standard listening port.
(Update your firewall accordingly)

Lionelmm - a query ?

Does that work for the domain admin password or just the local admin
I did a job like this a long while ago now
(Russian criminals hacked an sbs server)
vaguely remember going down the route you suggest and it was ok for local server login but not domain admin - Hence using the stellar product ( albeit a purchase )
Not on commission btw :-)

Apologies if I am incorrect on this
Lionel MMSmall Business IT Consultant

Commented:
It worked on my issue several years back and a DC (domain controller) does not have a "local admin"; you cannot logon to it other than with a domain user (domain\username). Unlike other non DC servers you can logon locally and with a domain user. There is also another multi-boot USB I use that provide additional password cracker options, but I have not tested these. (http://www.pendrivelinux.com/yumi-multiboot-usb-creator/) so if you know yours works it may be worth the cost in terms of time.
cpmcomputersManaging Director

Commented:
OK thanks

It was some time ago that I sorted this and it was SBS2003
I also tried parts of this article

http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm

Seems to indicate it will work for a DC but you do need to be able to login with admin rights?
Hence my confusion

Don't want the questioner paying out un-necessarily so the other options may be worth a look
As you say the main thing is to ensure the bad guys do not get back in again
Randy WakePresident & Cloud Solutions Architect

Author

Commented:
We ended up rebuilding the server and restoring data from a backup.  What a nightmare!  Thanks all for your recommendations and suggestions for solutions.
cpmcomputersManaging Director

Commented:
Did you ever discover what caused it ?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial