Reset Active Directory Password

After attending Italian Technet Security Workshop V in Milan, I became worried about reset Administrator password or create a new Admin because the original Administrator is locked (a malicious user can lock this account sending wrong password too times or adding it to more than 65535 groups).

I made some tests on Active Directory 2000 and 2003; basically the procedure is very similar because either need to start Windows in in Directory Service Restore Mode (because it doesn't start Active Directory), then apply some "hacks" to the registry, finally restart it normally in order to make the "hacks" work.

Active Directory 2000 Hacks
Start regedit
change HKEY_USERS\.Default\Control Panel\Desktop\SCRNSAVE.EXE from logon.scr to cmd.exe
change HKEY_USERS\.Default\Control Panel\Desktop\ScreenSaveTimeout to 10
change HKEY_USERS\.Default\Control Panel\Desktop\ScreenSaveActive to 1
When you will reboot the server, after some seconds (about 10) the server will start the screensaver that is cmd.exe, you should type net user administrator MyNewPassw0rd /domain or run MMC DSA.MSC to start Active Directory User and Computer Management Console.

The previous hacks doesn't work on 2003 because of changes in the service account with which the process runs. In Windows 2000 it was run in the Local SYSTEM account (LSA) privileges, while in Windows Server 2003 it is run with the LOCAL SERVICE account, thus resulting in far less privileges.

Active Directory 2003 Hacks
copy srvany.exe from Windows 2003 Resource Kit
run the following command: sc create ResetPWD binpath= "C:\srvany.exe"
Start Regedit, and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ResetPWD
Create a new subkey called Parameters and add two new values:
name: Applicationtype: REG_SZ (string) value: C:\windows\system32\cmd.exe
name: AppParameterstype: REG_SZ (string) value: /k net user administrator MyNewPassw0rd /domain
Open services.msc, select ResetPWD set the starting mode to Automatic and enable the option Allow service to interact with the desktop
Restart your server and logon using Administrator and MyNewPass0rd
You can also customize the action setting AppParameterstype to a batch file path.

About author

Vittorio Pavesi