Solved

Domain Admin Password Recovery

Posted on 2012-12-28
8
405 Views
Last Modified: 2013-01-18
A mailicious individual somehow logged into our domain controller and changed the domain administrator password and administrator account username. Currently, we discovered what the domain admin username is but still cannot log into the domain controller. There are no domain admins. All domain admins were removed from membership. Is there a way to log into the server and not have to rebuild a new one?  There is no full backup of the DC.
0
Comment
Question by:Randy Wake
8 Comments
 
LVL 10

Assisted Solution

by:cpmcomputers
cpmcomputers earned 167 total points
ID: 38726917
0
 
LVL 13

Accepted Solution

by:
upalakshitha earned 167 total points
ID: 38726930
0
 
LVL 24

Assisted Solution

by:Lionel MM
Lionel MM earned 166 total points
ID: 38729127
Make sure you disconnect the server from the network until you can regain access because if someone has control of it your efforts can be twarted. . This is from ultimate boot CD (http://www.ultimatebootcd.com/) http://www.ehow.com/how_8226489_reset-password-ultimate-boot-cd.html
http://pogostick.net/~pnh/ntpasswd/
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 10

Expert Comment

by:cpmcomputers
ID: 38729153
Agreed

Also check they do not have any remote agents installed such as Kasaya,logmein,etc

If you have Microsoft RDP enabled change it to a non-standard listening port.
(Update your firewall accordingly)

Lionelmm - a query ?

Does that work for the domain admin password or just the local admin
I did a job like this a long while ago now
(Russian criminals hacked an sbs server)
vaguely remember going down the route you suggest and it was ok for local server login but not domain admin - Hence using the stellar product ( albeit a purchase )
Not on commission btw :-)

Apologies if I am incorrect on this
0
 
LVL 24

Expert Comment

by:Lionel MM
ID: 38729191
It worked on my issue several years back and a DC (domain controller) does not have a "local admin"; you cannot logon to it other than with a domain user (domain\username). Unlike other non DC servers you can logon locally and with a domain user. There is also another multi-boot USB I use that provide additional password cracker options, but I have not tested these. (http://www.pendrivelinux.com/yumi-multiboot-usb-creator/) so if you know yours works it may be worth the cost in terms of time.
0
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 38729225
OK thanks

It was some time ago that I sorted this and it was SBS2003
I also tried parts of this article

http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm

Seems to indicate it will work for a DC but you do need to be able to login with admin rights?
Hence my confusion

Don't want the questioner paying out un-necessarily so the other options may be worth a look
As you say the main thing is to ensure the bad guys do not get back in again
0
 

Author Comment

by:Randy Wake
ID: 38791994
We ended up rebuilding the server and restoring data from a backup.  What a nightmare!  Thanks all for your recommendations and suggestions for solutions.
0
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 38792013
Did you ever discover what caused it ?
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS 2011 Rollup 18 112
ONE network -- MULTIPLE Winodws 2012 domains ? 1 54
Upgrading from SBS2003 to Windows Server 2012r2 Essentials 13 46
MS Endpoint Protection 2 25
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question