Requirements (These are compulsory!)
1. Local access to the Domain Controller (DC).
2. The Local Administrator password.
3. Two tools provided by Microsoft in their Resource Kit: SRVANY and INSTSRV. Download them from http://www.petri.co.il/software/srvany.zip
The Local Administrator account is also called Directory Restore Administrator or Machine Account. The password is set at Windows installation. It is possible to reset this password using some (free) recovery tools.
Restart Windows 2003 in Directory Restory Service Mode.
Note: At startup, press F8 and choose Directory Restore Service Mode. It disables Active Directory.
When the login screen appears, log on as Local Administrator. You now have full access to the computer resources, but you cannot make any changes to Active Directory.
You are now going to install SRVANY. This utility can virtually run any programs as an NT Service. The interesting point is that the program will have SYSTEM privileges (as it inherits SRVANY security descriptor), i.e. it will have full access on the system. That is more than enough to reset a Domain Admin password. You will configure SRVANY to start the command prompt (which will run the ‘net user’ command).
Copy SRVANY and INSTSRV to a temporary folder, mine is called d:\temp. Copy cmd.exe to this folder too (cmd.exe is the command prompt, usually located at %WINDIR%\System32).
Start a command prompt, point to d:\temp (or whatever you call it), and type:
instsrv PassRecovery “d:\temp\srvany.exe”
It is now time to configure SRVANY.
Start regedit, and open the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PassRecovery.
Create a new subkey called Parameters and add two new values:
type: REG_SZ (string)
type: REG_SZ (string)
value: /k net user administrator new_password
‘net user username password’ is the command line utility to set a new password.
Replace new_password with the password you want. Keep in my mind that some domain policies require complex passwords (including digits, respecting a minimal length etc.)
Now open the Services applet (Control Panel\Administrative Tools\Services) and open the PassRecovery property tab. Check the starting mode is set to Automatic.
Show the Log On tab and enable the option Allow service to interact with desktop.
From now on, anytime you restart Windows, SRVANY will run the netuser command and reset the domain admin password.
Restart Windows in normal mode and wait for the login screen. You will not see the command prompt running the net user command as it is displayed on another desktop. But no worries, the command is still executed in the background.
Log on as Administrator on your domain by using the password you set above. The system should grant you access. If not, go back to Step 2 and check you did not mistype any commands or values.
When the desktop is displayed, you should see a command prompt. This is the one started by SRVANY.
Use this command prompt to uninstall SRVANY (do not forget to do it!) by typing:
net stop PassRecovery (, then:)
sc delete PassRecovery
Now delete d:\temp and change the admin password if you fancy.