Re: Windows 2000 server issue - Summary
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Wed, 24 Sep 2003 13:55:34 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Summary of replies;
Paul Brereton said;
"One way might be to use Locksmith v1.0. You can get this from www.sysinternals.com ."
Kevan McCallum Jr said;
"You can use ntrights.exe from Windows 2000 Resource Kit to reset the Local Security Policy settings. You can run this from another computer or server and reference the IP address of the server in question. I actually had this same issue and the ntrights.exe was the only thing that worked, short of rebuilding. Hope this helps."
Jeff DuVall said;
"I've used this in the past to get into locked, local administrative accounts, or when my users have forgotten their passwords to their home machines. YMMV, as it doc's clearly state that domain accounts are not able to be recovered. Of course, since this is your PDC, it might be worth a shot. See below for the link. Personally, I use the bootable CD image."
Richard Bertolett added about ntpasswd;
"You can download a Linux boot floppy utility to change the password of one of the accounts with local logon permissions. This, as I mentioned, is risky and should be a last resort."
Editors Note: ntpasswd by far got the most recommendations!
Sean Kornish said;
"You should be able to login as a domain administrator and modify the domain policy."
and Nima Khamooshi added this detailed instruction;
"(Assuming you can still access the PDC over the network) If you have an account with domain admin privileges, logon to a workstation and bring up an mmc. Add the group policy snap in and choose remote machine, enter the name of your PDC then go in and grant yourself the right to log on locally. It should be under Computer Configuration, security settings, local policies, user right assignments."
On a similar vein, Tadd Axon chimed in with;
"Fire up the AD Users and Computers snap-in on an Admin workstation, check the default domain policy and the Default DC policy to see if the changes were put into effect there. If so, change them.
Using computer management and/or the AD Users and Computers snap in you should be able to reset the passwords on the IIS accounts, at which point you could log in with them and run secpol as Admin to see the local policy and make the required changes -- assuming of course that these accounts are in fact able to log in interactively.
If not... create an account that is a member of the server operators group and attempt a local login.
Failing that you may have to restart the server in directory services restore mode, and rebuild form a recent (pre-SUS) backup... unless anyone else out there has any other thoughts on the matter?"
Lindsay Berry, Tony Dalton-Richards, and Nick Reciniello all discussed the MS Admin Pack tools. Nick's was the most comprehensive;
Look at page three, if you can unc over to the \\servername\c$\inetpub\adminscripts and that server you may be able to run adsutil.vbs get w3svc/wamuserpass or actually set it with adsutil set w3svc/wamuserpass "password"
Michael T. Allen asked;
"Did you make a repair disk? That will re-enable the Local Administrator account?"
Jim Knight said;
"When you install SUS on any server, the IIS Lockdown tool is run against that server, if you have any other Web Server processes on that box the accounts used are locked down. I would suggest looking at the SUS Deployment guide (specifically Appendix A) to see what was done to the IIS install via the IIS Lockdown tool."
Brett Hill <firstname.lastname@example.org> offered;
"If you mean the IUSR and IWAM account, the passwords for those accounts are contained in metabase.bin. A very simple script can show the passwords. Email me privately if you want me to send you one.
Darin W Cross said;
"Winternals makes a product called ERD Commander which can be used to boot the machine and from there you can change the local account passwords to let yourself back in. www.winternals.com "
Russ - NTBugtraq Editor
---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ----