[GTG]

We have gained a new client and taken control of a server that the previous admin had removed administrator rights from the administrator group. Thus the administrator account cannot do what we need. There is another user account that we beleive that may have admin right but we're not sure.

What utility should we use to change that user accounts' password?
Is there a utility that we can use to re-grant administrative rights to the administrator's group?

Forgot to add -
This is a Win Server Small Business 2003 with Active Directory

Thanks,
GTG

[Stonelaughter]

If your doman administrator account has been removed from the "Domain Admins" group, he still has rights to add members to the Domain Admins group. I seriously doubt that anyone unprofessional enough to have done this would have covered all the angles. So - log in as the original "Administrator" account in the domain, and simply add yourself back into the "Domain Admins" group.

[GTG]

From what we can see, this is what he did -
He renamed the Administrator account to ASD, he then created a new Administrator account that has no administrative priveledges. He then remotely logged in as ASD and disabled the ASD account.

Is there a way to somehow enable an account and change it's password if you have no administrator priveleges?

He also disabled some services from starting by changing their startup to manual and with no administrator account functioning, we can't reenable those services and get their database to run.

Thanks,
GTG

[StillAsleep]

First off,

Go here and look at the free tools (again).

http://petri.co.il/forgot_administrator_password.htm#1

The first tool mentioned is good to use because it generates an UPLOAD.TXT file with all the local accounts listed, so you can see what you have to work with.

The second tool, the LINUX CD password reset utility, will also non-intrusively tell you what accounts are on the local server and their enabled status. The intrusive part is that it will allow you to enable a user AND reset the password too, so at the point, it would write to the drive.

The third choice is BARTPE with SAMInside plug-in, scsi and network card plugins bootable CD. (I have not had any luck getting the USB plug going, and time is usually of the essence in these issues, so I took a pass last week on making my own USB plug-in. Its on my TO-DO list, honest!)

Create the CD on R/W media (this can take time to tweak and get right) boot the server with CD in the tray to a "lite" version of XP which runs from the ISO on the CD and using SAMInside, view the SAM of the server and dump it to a file on a diskette called PWDUMP. It is a text file of all the local accounts with their hashes (read: encoded passwords) in an import-friendly format.

Take this A: diskette over to your computer. Install LMCrack from the internet. Import the PWDUMP file into LMCrack. Supposed to crack a hash within 60 seconds w/o any additional configuration needed.

Cain and Abel is another cracking program. Passwords Pro is yet another cracking program. Both require dictionary or rainbowcrack DB downloads and additional configuring to get going.

Hope this helps!
StillAsleep Stacy

[StillAsleep]

I worked the SBS group at M$ for awhile.


Do you have another server in your domain (member server) that you can access locally, or is the SBS being the all-in-one box?

StillAsleep Stacy

[rvalstar]

Quote:

Originally Posted by GTG

From what we can see, this is what he did -
He renamed the Administrator account to ASD, he then created a new Administrator account that has no administrative priveledges. He then remotely logged in as ASD and disabled the ASD account.

Is there a way to somehow enable an account and change it's password if you have no administrator priveleges?

If you can come is as SYSTEM. Unfortunately, the alt-logon (logon.scr) trick doesn't work anymore.

Unless some cracking SW will enable a disabled account, no amount of password cracking will fix this problem if there is no way to logon to a disabled "ASD" regardless of knowing the password and there are no other admin accounts.

So how to come in as SYSTEM with a minimal amount of disruption to the existing setup?

Possibly the "Repair" approach (w/ Shift-F10 ???) will do this -- I just don't know as I haven't tried it personally. Also, this is not a low impact solution:

Quote:

Originally Posted by arberibrahimi

Instead of using recovery console, try windows repair. If windows xp instalation finds your existing crashed XP use windows repair.

Windows repair most of times saves your documents and only repairs errors.

Here is a link that can help in this case:
http://www.michaelstevenstech.com/XPrepairinstall.htm

Tell me if this was helpfull

Quote:

Originally Posted by rvalstar

If you just do the repair without the Shift-F10, doesn't it reset the SAM anyway and ask you for a new Administrator password?

If not (been a while since I did a repair), here's a nice link to a recipe for this Shift-F10 approach:

http://pubs.logicalexpressions.com/p...cle.asp?ID=305

As always, no express or implied warranty nor any recommendation to pursue this approach.

The only other way I know to get a CMD box as a fully privileged SYSTEM is to add or hijack a service. If you can write to the registry on the non-admin Administrator account, modifying the SRVANY trick here:

http://www.petri.co.il/reset_domain_...er_2003_ad.htm

may work and allow you to spawn a copy of USRMGR or ??? so you can enable ADM.

If you can't write to the registry but can find an existing non-critical service (VPN, AV, etc.) that autostarts and you can rename the EXE, I have a VS.NET service you can drop in place that will do the equivalent of the alt logon trick and allow you to run USRMGR, etc.

Just a thought.

[Kibo]

Quote:

Originally Posted by rvalstar

The only other way I know to get a CMD box as a fully privileged SYSTEM is to add or hijack a service. If you can write to the registry on the non-admin Administrator account, modifying the SRVANY trick here:

http://www.petri.co.il/reset_domain_...er_2003_ad.htm

may work and allow you to spawn a copy of USRMGR or ??? so you can enable ADM.

If you can't write to the registry but can find an existing non-critical service (VPN, AV, etc.) that autostarts and you can rename the EXE, I have a VS.NET service you can drop in place that will do the equivalent of the alt logon trick and allow you to run USRMGR, etc.

Just a thought.

Rick, I owe you a huge thanks.

I tried the logon.scr method on my Win2K Server box before I learned that the hole had been "fixed", and (not surprisingly) it didn't work. Then I came across your above suggestion, gave it a shot, and I was able to successfully reset my domain admin password and regain access to the box (followed by muffled cheers and a quiet 'happy dance' due to the late hour and the fact my wife was already asleep down the hall...)

I'll break it down into rough steps, in case others might find this useful--but first, a disclaimer: I am not a server guru, just a hack that likes tinkering with things on my own. Follow my directions at your own risk, and certainly heed any warnings/suggestions as provided by those on this forum that are certainly more knowledgeable than myself!

Here it is:

1. Follow the directions for the 'logon.scr' trick to replace logon.scr with a renamed copy of cmd.exe. In my case, I had mounted the HD on another computer as a slave so I could extract (backup) data files, so I made the change there. There are numerous other ways to accomplish this, though.
   
2. I rebooted the computer and waited for the logon screensaver to pop up a cmd window. From the root path, I ran 'mmc services.msc' to determine which services were automatically loaded and identify a non-essential service to hijack. This computer was set up with NAV, so that seemed to be the easiest target.
   
3. From the cmd prompt, I ran regedit and navigated to 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces', then located the particular service I wanted to hijack. In my case, it was named 'NAV Auto-Protect'. I then exported this key to a temp folder for backup to be restored at a later point.
4. From here, I pretty much followed the instructions on Daniel's W2K3 page. I say "pretty much" because I redirected ImagePath to srvany.exe and then added the two parameters that Daniel listed (Application set to cmd.exe and add AppParameters to change the domain password). This worked out fine, but there may be a more direct way to do this (i.e. point ImagePath directly to cmd.exe?). I also modified the DisplayName as a double-check for the next step...
   
5. From the services.msc window, I opened the properties window on the service I was editing and verified that the newly changed properties appeared for the NAV service (modified DisplayName and ImagePath). This was just my way of confirming that I was a) changing the correct service, and b) that the changes were in fact 'accepted'.
   
6. I then restarted the computer, waited for the services to start, and logged in with the password entered in step 4.
   
7. Celebration commenced here.
   
8. You're not done yet! Don't forget to replace the renamed logon.scr (actually cmd.exe) with the original (backup) version that you saved in step 1, and then restore your registry entries by importing the backup you made in step 3. To be thorough, delete the Parameters key as well. Reboot and make sure the original service starts up correctly.

Hope that someone finds this useful!


Erik

[rvalstar]

I'm glad it worked out.

You are now a member of a rather elite club that has successfully commandeered a box without cracking a password.

Bravo.

[kachiri]

[QUOTE=rvalstar;49137]

Possibly the "Repair" approach (w/ Shift-F10 ???) will do this -- I just don't know as I haven't tried it personally. Also, this is not a low impact solution:


Hi, learning alot from your messages. I tried this, following your link, but the installation wouldn't start without a password. So I did not getto the bit where shift + F10 is used.

Can I press shift+F10 at some other stage? e.g. when it is copying files?

[rvalstar]

Quote:

Originally Posted by kachiri

Hi, learning alot from your messages. I tried this, following your link, but the installation wouldn't start without a password. So I did not getto the bit where shift + F10 is used.

Can I press shift+F10 at some other stage? e.g. when it is copying files?

So where exactly in the process here did you get the request for a password ?:

http://pubs.logicalexpressions.com/p...cle.asp?ID=305

Please provide the step # and any other detail you may have. Also, what OS and what CD are you using?

I have successfully done this (recently) w/ a W2K Pro SP1 CD. Still waiting to schedule time w/ another friend to do the same operation w/ Windows XP Media Edition.