Domain Admin Password Recovery

A mailicious individual somehow logged into our domain controller and changed the domain administrator password and administrator account username. Currently, we discovered what the domain admin username is but still cannot log into the domain controller. There are no domain admins. All domain admins were removed from membership. Is there a way to log into the server and not have to rebuild a new one?  There is no full backup of the DC.
Randy WakePresident & Cloud Solutions ArchitectAsked:
Who is Participating?
upalakshithaConnect With a Mentor Commented:
Lionel MMConnect With a Mentor Small Business IT ConsultantCommented:
Make sure you disconnect the server from the network until you can regain access because if someone has control of it your efforts can be twarted. . This is from ultimate boot CD (
Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.


Also check they do not have any remote agents installed such as Kasaya,logmein,etc

If you have Microsoft RDP enabled change it to a non-standard listening port.
(Update your firewall accordingly)

Lionelmm - a query ?

Does that work for the domain admin password or just the local admin
I did a job like this a long while ago now
(Russian criminals hacked an sbs server)
vaguely remember going down the route you suggest and it was ok for local server login but not domain admin - Hence using the stellar product ( albeit a purchase )
Not on commission btw :-)

Apologies if I am incorrect on this
Lionel MMSmall Business IT ConsultantCommented:
It worked on my issue several years back and a DC (domain controller) does not have a "local admin"; you cannot logon to it other than with a domain user (domain\username). Unlike other non DC servers you can logon locally and with a domain user. There is also another multi-boot USB I use that provide additional password cracker options, but I have not tested these. ( so if you know yours works it may be worth the cost in terms of time.
OK thanks

It was some time ago that I sorted this and it was SBS2003
I also tried parts of this article

Seems to indicate it will work for a DC but you do need to be able to login with admin rights?
Hence my confusion

Don't want the questioner paying out un-necessarily so the other options may be worth a look
As you say the main thing is to ensure the bad guys do not get back in again
Randy WakePresident & Cloud Solutions ArchitectAuthor Commented:
We ended up rebuilding the server and restoring data from a backup.  What a nightmare!  Thanks all for your recommendations and suggestions for solutions.
Did you ever discover what caused it ?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.