How to logon using the expired domain administrator password in W2012 domain

This is a MS Windows 2012 AD domain, that using the default policies. I think one of the default policy is, domain user password will be expired in 90 days (or 120 days). After not logging on to the DC for long time, not aware that this domain administrator user account is expired. Now, in front of the DC, I can't logged on. What can I do to logon to the DC?

MichaelBalackSenior System EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Do you have any other admin accounts?  Use them to change the ow of this account


Walter CurtisSharePoint AEDCommented:
If you have any pre W2k12 machines on the domain, log in there. You will be prompted with a dialog offering you the chance to change your password. May even work with client OS's like Win 7 or older.
MichaelBalackSenior System EngineerAuthor Commented:
Hi MKline71,

I do not have other admin account.

Hi SneekCo,

There is one member server - 2012, my co-worker told me he can logon locally. I'll get him to try to logon to the domain.
Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Sasha KranjacAzure & Security Otaku, MVP, MCT, CEICommented:
You can reset administrator or any other account password following these steps:

1. boot the DC from the Windows Server 2012 Installation DVD/USB
2. after choosing language, time zone and keyboard layout, on Windows Setup window click Repair your computer
3. click Troubleshoot
4. under Advanced options click Command prompt
5. at the command prompt type following commands
cd windows\system32
ren utilman.exe utilman.exe.old
copy cmd.exe utilman.exe
6. close the command prompt window
7. exit the Setup by clicking Continue and reboot the server
8. at the logon screen, click Windows+U
9. at the command prompt type: net user account SomePassword. Replace account with account name whose password you want to change. Replace SomePassword with password of your choice.
You should be able to log onto the server.
This procedure replaces accessibility utility with command prompt executable which you envoked at the logon screen. After changing the password(s) you should restore the file changes you've made by repeating steps 1-4 and:
5. at the command prompt type following commands:
copy utilman.exe.old utilman.exe
6. exit Setup and reboot. Remove any DVD/USB media from server.

Hope it helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MichaelBalackSenior System EngineerAuthor Commented:
Hi Sasa kranjac,

Thank for the detaied steps,i woll schedule to try it...
The problem is not clear. Expired accounts are asked to change their pw at logon - so what problem do you have?
Walter CurtisSharePoint AEDCommented:
There is a security setting which I have not seen before W2k12 that does not prompt one for a new password when they attempt to log in with an expired password. (As was the case in previous versions.)
May I ask what you are refering to? I just tried it and expired an account and tried to logon to a 2012 Server - all normal, I was requested to change my pw.
Walter CurtisSharePoint AEDCommented:
Then the setting has not be applied to your system. It is not out of the box, but a security setting that can be enabled if desired.
Ok. Then we should search and find it in the GPO reference.
MichaelBalackSenior System EngineerAuthor Commented:
Thanks for the helps form everyone. I also felt that it is a bit weird as in this case, the expired account didn't prompt for new password change. However, all these problem are feedback by my co-worker, in which he is onsite. I didn't got a chance to "visualize it" myself. I will scheduled to go onsite in few day's time.
Time to clear up what we are talking about...
The author wrote "Now, in front of the DC..." which does not suggest that we are talking about RDP at all. Or are we?
Walter CurtisSharePoint AEDCommented:
@MichaelBalack - no matter the terminology I know what you are experiencing because I have been there too in real life. You want to log in or need to log in and you can't. Really messes up your plan. Luckily I had colleagues that could log in and I could reset my password. Hope you get your problem solved and hope I was able to help some.
MichaelBalackSenior System EngineerAuthor Commented:
Hi SneekCo,

Thanks for your understanding, I will get the problem sorted out.

Thanks everyone, wait for my update in these few day...
>  I have been there too in real life
Many have, including me :) The problem has been around since NLA (win 2008 Server/Vista). Not 2012 only and not induced by a non-Default policy. Simply NLA (default). Not patchable, see my own thread

So MichaelBalack, this is indeed RDP?
Walter CurtisSharePoint AEDCommented:
Thanks for the information, good stuff.
Capitano, are you out there?
Sasha KranjacAzure & Security Otaku, MVP, MCT, CEICommented:
These comments are indeed all very valuable.
I have experienced various Windows Server behaviour - have been asked for expired password and have not been asked for the password. There is always solution for the problem but at the expense of the time required to solve it. In some cases I have chosen the fastest path to the solution.
Hope you are able to solve your problem.
MichaelBalackSenior System EngineerAuthor Commented:
Hi everyone,

My onsite visit has to be postponed to next Thursday, about a week to go. I will updates the founding and approaches. Hope can solve the problem.
MichaelBalackSenior System EngineerAuthor Commented:
Hi everyone,

Sorry to keep you guys waiting. I did a simple test by following the steps shown by Sasa, and it works perfectly. I have made appointment to be onsite to see the real thing.

This trick reminds me of back to NT 4 time, in which a rename of one *.exe file would allow you to have full access, right?
Sasha KranjacAzure & Security Otaku, MVP, MCT, CEICommented:
I'm glad it worked.

Hehe, you're right. Back on NT4 you had to rename LOGON.SCR to CMD.EXE. After that you rebooted and waited for a "screensaver" to appear and voila! The rest is the same: net user...
Hmm. Have you understood, what your problem is, capitano? Resetting a pw is one thing, being unable to change a pw via RDP is something totally different.
MichaelBalackSenior System EngineerAuthor Commented:
Hi McKnife,

Thanks for pointing out this important point.
MichaelBalackSenior System EngineerAuthor Commented:
Great, it works like a charm
Hmm, time to clear up what we had been llooking at here. Was it an RDP connection or not?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.