No access to server, passwords lost as our admin died

By badall
in Microsoft (Windows)

 Share

Recommended Posts

Proficient

badall

Posted
Posted

Hi i have big problem at the charity i volunteer for, we had one guy maintaining the server (sbs2003) he was a good guy if maybe a little bit paranoid he didn't leave a copy of the password in the safe or anywere we can find it and he died last week.

Exchange has started crashing on a regular basis it last about 36 hours before it crashes and no one can access emails until the server is restarted by powering off which i don't want to do to many times as the server is already throwing a warning on boot about raid errors

I tried going into recovery mode pressing f8 but that does not seem to be working, on the login screen there is only the domain login and no local login. I did some searching and found various methods for brute forcing passwords or blanking them and adding new ones but they are a bit dodgy or may lose data if encryption has been enabled (wich is likely) mdop2011 which has dart 5.0 may have helped but the msdn password went with admin aswell. Can anyone help

Link to comment
Share on other sites
Veteran

+Fulcrum Subscriber¹

Posted
  • Subscriber¹
Posted

I suggest #2 in Stockkolm link

Offline NT Password & Registry Editor (2011-05-11 Build) is an amazing password recovery tool but instead of actually recovering your Windows password like Ophcrack and similar tools do, it deletes it. Without a password, you're allowed unrestricted access to your Windows operating system.

Link to comment
Share on other sites
Grand Master

n_K

Posted
Posted

Remember if it's active directory, most tools won't work. You need specialised tools to work with AD files.

If it's AD and you don't have the tools, I can help recover them for you if they're compatible.

Link to comment
Share on other sites
Grand Master

+theblazingangel MVC

Posted
  • MVC
Posted

@OP, before you start trying to crack the password problem, I'd advise that you make backing things up your first priority, especially with those RAID errors. One way of doing this would be to use the dd command in a linux live CD to backup an exact image of the contents of the server's hard drive, saving this onto a backup drive. The backup drive will need to be as big or bigger than the existing drive in the machine. With such an image, if you do mess things up, or the RAID completely fails, you'll be able to simply restore the hard drive contents to exactly the same state as they are currently.

 

If you don't know what you're doing, get someone else in who does. You're at serious risk of making things worse, possibly loosing everything that server contains.

  • Roger H., Praetor and TAZMINATOR
  • Like 3
Link to comment
Share on other sites
Veteran

D!ABOL!C

Posted
Posted

on the login screen there is only the domain login and no local login. 

 

On the login screen, is there no login dropdown box? If not, you don't happen to have the server name do you? For username try: server1\administrator with a blank password. Considering how paranoid the previous admin was, i'm sure he set one, but maybe he forgot.

Link to comment
Share on other sites
Grand Master

Praetor

Posted
Posted (edited)

@OP: sorry for the loss of your co-worker, i do remember back in 2012 when you asked our opinion for a upgrade for that server :/

 

back ontopic: PLEASE do a backup if you don't have any; this should be your number 1 concern right now. If you don't have a backup then do one ASAP, preferably clone the HDD using some tool for that (dd can work too but it will take time). After that you can use Directory Service Restore Mode since it's the most secure and fastest way of retrieving the server back into your hands (since it's a SBS the logins are AD related so any password reset tool you use it won't work). For that please follow this steps: http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm#

 

Note: remember to read all of those steps carefully; if you don't then you can be in a much worsen situation then now.

 

After that check the server logs and hardware (if it's a OEM server, like DELL or HP then there's software from the OEM to see the state of the hardware) to see the reason the RAID controller is dumping the warning in POST and check what's up with Exchange. Also see if there's any expired certificate or low space volume.

 

Good luck!

Link to comment
Share on other sites
Collaborator

ITFiend

Posted
Posted

Hi i have big problem at the charity i volunteer for, we had one guy maintaining the server (sbs2003) he was a good guy if maybe a little bit paranoid he didn't leave a copy of the password in the safe or anywere we can find it and he died last week.

Exchange has started crashing on a regular basis it last about 36 hours before it crashes and no one can access emails until the server is restarted by powering off which i don't want to do to many times as the server is already throwing a warning on boot about raid errors

I tried going into recovery mode pressing f8 but that does not seem to be working, on the login screen there is only the domain login and no local login. I did some searching and found various methods for brute forcing passwords or blanking them and adding new ones but they are a bit dodgy or may lose data if encryption has been enabled (wich is likely) mdop2011 which has dart 5.0 may have helped but the msdn password went with admin aswell. Can anyone help

 

No! Don't use cracking tools, as you'll take your server out of a supported configuration if you do. Definitely consider doing anything against a clone or P2V version of your server. That said, what I describe is the safest method to seize control over Windows/Domains as it doesn't violate any of Windows internal functionality, and your copy of Windows is still perfectly healthy.

 

  • Boot from Microsoft WinPE media so your server is offline.  Either the original Microsoft Windows install disk, or create a new WinPE disk through the Microsoft Automated Deployment Toolkit.
  • Launch cmd.exe if you are in Windows setup, and run the next two lines:
  • rename C:\windows\system32\Utilman.exe Utilman.exe.disabled
  • copy C:\windows\system32\cmd.exe C:\windows\system32\Utilman.exe
  • Now boot from Windows like normal.  When you get the logon screen, click on the lower left Accessibility icon.  It will now launch cmd.exe, rather than Utilman.exe, as the SYSTEM user.
  • Launch MMC.EXE.  CTRL-M. Add ?Active Directory Users and Computers?. OK.
  • Create a new users in your ?DOMAINNAME\Users? container.
  • Add your new user to the group ?DOMAINNAME\Users\Enterprise Adminis?
  • Add your new user to the group ?DOMAINNAME\Users\Domain Adminis?
  • Add your new user to the group ?DOMAINNAME\Builtin\Administrators?

 

Congrats!  You?ve just stolen an Active Directory Domain Controller or Forest by masquerading as the active SYSTEM user, and you didn't take Windows out of a supported configuration when you did so because SYSTEM is normally allowed to modify itself.

 

  • Boot back to your offline Windows media, "delete C:\Windows\System32\Utilman.exe", and "rename C:\Windows\System32\Utilman.exe.disabled Utilman.exe"

 

And this folks is why Windows is only secure when it?s on encrypted BitLocker volumes, and why Read Only Domain Controllers exist.

 

 

If for some reason you actually need to get in to the old Administrator user accounts without changing their passwords, the best way to do this is to attempt to use something like Metasploit and a do a pass the hash style attack from a remote host.  Your old administrators password hash is probably still cached on the domain controller, so you can use that to steal the hash, and then attempt to directly masquerade as that old user with their hash rather than password.  Won't work with RDP though unless you are on Server 2012 R2 and enable the pass the hash cache theft prevention features to support "mstsc.exe /restrictedAdmin" (this basically forces MSTSC to obey the same rules that prevent easy PowerShell double-hops).

Link to comment
Share on other sites
Collaborator

ITFiend

Posted
Posted

Congrats!  You?ve just stolen an Active Directory Domain Controller...

 

Oh yeah, I did say that wrong. You've stolen *all* Active Directory Domain Controllers in the domain. Builtin\Administrators replicates, and after it does you are a Local Administrator on all the domain DC's.

Link to comment
Share on other sites
Grand Master

Praetor

Posted
Posted

ah the utilman hack, didn`t remember that; that works as well but the first thing to do should be a backup. also in sbs2k3 it`s windows key + u to activate it.

Link to comment
Share on other sites
Proficient

badall

Posted
  • Author
Posted

yeah the new server i forgot about that it's still on his desk waiting to be setup lol, he had alot going on but never quite finished alot of it i guess no one expects to die, anyway i'm not in till monday, there are backups but there not full system backups just exchange and users data which is done once a week, i'll dig a drive up and do a full sytem image to be carefull and try ITFiends way of doing it.

 

will get back to you on the results

Link to comment
Share on other sites
Proficient

badall

Posted
  • Author
Posted

I thought i would give itfiends solution a try in a VM at home before i went in tomorrow but the problem with server 2003 is that there is no accessability options on the login screen

Link to comment
Share on other sites
Grand Master

Eric Veteran

Posted
  • Veteran
Posted

I thought i would give itfiends solution a try in a VM at home before i went in tomorrow but the problem with server 2003 is that there is no accessability options on the login screen

 

Try the hotkey Praetor mentioned. It should still work.

  • Praetor and Brandon H
  • Like 2
Link to comment
Share on other sites
Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

If you are still having issues with recovering the password, this write up has never once failed me utilizing erd commander to reset the password.  you can use hirens as well to reset the password or make a new domain admin to be able to manage the domain so you don't mess anything up. 

 

http://www.petri.com/reset_domain_admin_password_in_windows_server_2003_ad.htm

Link to comment
Share on other sites
Community Regular

koppit

Posted
Posted

I've done this before. It's not fun... but it works. You will need to reset the administrator password for local login first using a tool such as hirens. Alternately, a winPE boot disk if you have a raid that needs drivers installed...

 

http://www.geeksaresexy.net/2009/03/12/how-to-reset-your-lost-2003-active-directory-admin-password/

Have all of the required files on a memory stick somewhere, contact me if you need them.

Link to comment
Share on other sites
Grand Master

Eric Veteran

Posted
  • Veteran
Posted

sethc.exe worked like a charm got in sorted the passwords and put a copy in the safe just encase. only trouble is i now seem to be the one who has to maintain it

 

Excellent! We can't help you decide who the new admin is but I'm glad you got it fixed. I knew there was another executable you could use to fix it but I couldn't remember which one. :)

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.