Solved

Domain Admin Password Recovery

Posted on 2012-12-28
8
407 Views
Last Modified: 2013-01-18
A mailicious individual somehow logged into our domain controller and changed the domain administrator password and administrator account username. Currently, we discovered what the domain admin username is but still cannot log into the domain controller. There are no domain admins. All domain admins were removed from membership. Is there a way to log into the server and not have to rebuild a new one?  There is no full backup of the DC.
0
Comment
Question by:Randy Wake
8 Comments
 
LVL 10

Assisted Solution

by:cpmcomputers
cpmcomputers earned 167 total points
ID: 38726917
0
 
LVL 13

Accepted Solution

by:
upalakshitha earned 167 total points
ID: 38726930
0
 
LVL 25

Assisted Solution

by:Lionel MM
Lionel MM earned 166 total points
ID: 38729127
Make sure you disconnect the server from the network until you can regain access because if someone has control of it your efforts can be twarted. . This is from ultimate boot CD (http://www.ultimatebootcd.com/) http://www.ehow.com/how_8226489_reset-password-ultimate-boot-cd.html
http://pogostick.net/~pnh/ntpasswd/
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 10

Expert Comment

by:cpmcomputers
ID: 38729153
Agreed

Also check they do not have any remote agents installed such as Kasaya,logmein,etc

If you have Microsoft RDP enabled change it to a non-standard listening port.
(Update your firewall accordingly)

Lionelmm - a query ?

Does that work for the domain admin password or just the local admin
I did a job like this a long while ago now
(Russian criminals hacked an sbs server)
vaguely remember going down the route you suggest and it was ok for local server login but not domain admin - Hence using the stellar product ( albeit a purchase )
Not on commission btw :-)

Apologies if I am incorrect on this
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 38729191
It worked on my issue several years back and a DC (domain controller) does not have a "local admin"; you cannot logon to it other than with a domain user (domain\username). Unlike other non DC servers you can logon locally and with a domain user. There is also another multi-boot USB I use that provide additional password cracker options, but I have not tested these. (http://www.pendrivelinux.com/yumi-multiboot-usb-creator/) so if you know yours works it may be worth the cost in terms of time.
0
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 38729225
OK thanks

It was some time ago that I sorted this and it was SBS2003
I also tried parts of this article

http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm

Seems to indicate it will work for a DC but you do need to be able to login with admin rights?
Hence my confusion

Don't want the questioner paying out un-necessarily so the other options may be worth a look
As you say the main thing is to ensure the bad guys do not get back in again
0
 

Author Comment

by:Randy Wake
ID: 38791994
We ended up rebuilding the server and restoring data from a backup.  What a nightmare!  Thanks all for your recommendations and suggestions for solutions.
0
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 38792013
Did you ever discover what caused it ?
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question