Hi i have big problem at the charity i volunteer for, we had one guy maintaining the server (sbs2003) he was a good guy if maybe a little bit paranoid he didn't leave a copy of the password in the safe or anywere we can find it and he died last week.
Exchange has started crashing on a regular basis it last about 36 hours before it crashes and no one can access emails until the server is restarted by powering off which i don't want to do to many times as the server is already throwing a warning on boot about raid errors
I tried going into recovery mode pressing f8 but that does not seem to be working, on the login screen there is only the domain login and no local login. I did some searching and found various methods for brute forcing passwords or blanking them and adding new ones but they are a bit dodgy or may lose data if encryption has been enabled (wich is likely) mdop2011 which has dart 5.0 may have helped but the msdn password went with admin aswell. Can anyone help
No! Don't use cracking tools, as you'll take your server out of a supported configuration if you do. Definitely consider doing anything against a clone or P2V version of your server. That said, what I describe is the safest method to seize control over Windows/Domains as it doesn't violate any of Windows internal functionality, and your copy of Windows is still perfectly healthy.
- Boot from Microsoft WinPE media so your server is offline. Either the original Microsoft Windows install disk, or create a new WinPE disk through the Microsoft Automated Deployment Toolkit.
- Launch cmd.exe if you are in Windows setup, and run the next two lines:
- rename C:\windows\system32\Utilman.exe Utilman.exe.disabled
- copy C:\windows\system32\cmd.exe C:\windows\system32\Utilman.exe
- Now boot from Windows like normal. When you get the logon screen, click on the lower left Accessibility icon. It will now launch cmd.exe, rather than Utilman.exe, as the SYSTEM user.
- Launch MMC.EXE. CTRL-M. Add “Active Directory Users and Computers”. OK.
- Create a new users in your “DOMAINNAME\Users” container.
- Add your new user to the group “DOMAINNAME\Users\Enterprise Adminis”
- Add your new user to the group “DOMAINNAME\Users\Domain Adminis”
- Add your new user to the group “DOMAINNAME\Builtin\Administrators”
Congrats! You’ve just stolen an Active Directory Domain Controller or Forest by masquerading as the active SYSTEM user, and you didn't take Windows out of a supported configuration when you did so because SYSTEM is normally allowed to modify itself.
- Boot back to your offline Windows media, "delete C:\Windows\System32\Utilman.exe", and "rename C:\Windows\System32\Utilman.exe.disabled Utilman.exe"
And this folks is why Windows is only secure when it’s on encrypted BitLocker volumes, and why Read Only Domain Controllers exist.
If for some reason you actually need to get in to the old Administrator user accounts without changing their passwords, the best way to do this is to attempt to use something like Metasploit and a do a pass the hash style attack from a remote host. Your old administrators password hash is probably still cached on the domain controller, so you can use that to steal the hash, and then attempt to directly masquerade as that old user with their hash rather than password. Won't work with RDP though unless you are on Server 2012 R2 and enable the pass the hash cache theft prevention features to support "mstsc.exe /restrictedAdmin" (this basically forces MSTSC to obey the same rules that prevent easy PowerShell double-hops).