General discussion

  • Creator
    Topic
  • #2080524

    nt security

    Locked

    by npressley ·

    i had a call from a customer who said he can’t get in his server. for some reason it has been changed or something. is there any way to get in to reset password?
    npressley@inetnow.net

All Comments

  • Author
    Replies
    • #3902690

      nt security

      by fido ·

      In reply to nt security

      There are thre answers to this situation that I can think of, I hope at least one of them is useful.

      A1) The Microsoft text book answer
      Rebuild your server.

      A2) The cook-book answer
      There is a utility freely available on the net called L0phtCrackhttp://www.l0pht.com/l0phtcrack) which has the ability to rip passwords out of the NT registry, rescue disk, and network packets. This may perhaps be able to extract the password from the NT server’s registry. Of course access to the server console is aplus as doing it remotely can be painful.

      A3) Last ditch answer
      You could also try using the NT rescue disk generated when the NT server was installed to restore the SAM database. I wouldn’t suggest it if this is a business critical server, but as aast resort before rebuilding the server you might want to try it.

      • #3792072

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3902668

      nt security

      by mkelley ·

      In reply to nt security

      Also,
      This doesn’t help now, but it is helpful to have more than one admin level account on the server, perhaps two local admin logins, and two domain admin level logins. Don’t forget to put the domain level logins in the local admin group. And if tis is a BDC, you don’t need to worry about the local admin accounts.

      • #3792073

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3902638

      nt security

      by jhoward ·

      In reply to nt security

      There are a number of utilities at http://www.winternals.com and http://www.sysinternals.com that allow you to change the administrator account (ERD Commander, ERD Professional, NTRecover & NT Locksmith). They aren’t free but are worth the money when you considerhow much your time, and the time of your staff costs when they can’t work while you rebuild the server.

      • #3792074

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3902637

      nt security

      by patfa ·

      In reply to nt security

      Is it a BDC, PDC, Stand alone? There would be different courses of action depending on the role the server plays in your domain.

      Did the customer forget his password? If so, is the original administrator account available or has it been disabledas it should be?

      If no one, even normal users are not able to log onto the server, it is likely that the systems SAM database was corrupted at some point. Again, It would be most helpful if we knew what type of NT server we are discussing, but inthis case, a up-to-date NT repair disk would be an invaluable tool because a copy of the SAM database resides on this disk. If there is no disk available, and the SAM database is indeed corrupt, a rebuild is the only way I know of to regain control of your locked server.

      • #3792034

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3902603

      nt security

      by johnny398430 ·

      In reply to nt security

      Just a reminder that any other NT user id with domain admin privileges may logon and reset the NT administrator password.

      • #3792075

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3902584

      nt security

      by egowen ·

      In reply to nt security

      If he has an emergency recovery diskette (ERD) of recent vintage, he could boot from the the three diskette set and restore the registry. He should then be able to login with the old Administrator password.

      • #3792076

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3902582

      nt security

      by sjh87 ·

      In reply to nt security

      Hey, without utilities, it’s pretty tough to get back into an NT box without the password – have them try everything in upper and lower case, and try to get a password cracker from somewhere like L0phtcrack (BE SURE TO use a zero “0”- not the letter “o”. Anyway, this is probably too late – but good luck….

      • #3792077

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3902580

      nt security

      by oleg.vysotsky ·

      In reply to nt security

      Run User Domain Manager and reset a password in the person record.

      • #3792078

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3902573

      nt security

      by kai_klein ·

      In reply to nt security

      I’ve run also in this problem by a customer, where a student install the machine and then go into holydays without leaving the password. What we do then is to repair the sam-database with the rescure disk from a different machine. Hope this will help you.

      Kai

      • #3792079

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3902523

      nt security

      by cyril ·

      In reply to nt security

      One of the possible causes of this situation is an attempt to restrict logon to ordinary users by changing default system policy. In this case, you can try to remove policy files using utilities available on http://www.sysinternals.com (NTFSDOS, for example)…or rebuild your server.

      • #3792080

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3902513

      nt security

      by bryan henderson ·

      In reply to nt security

      If there is an Administrator account on the machine and the user knows the credidentials for that account, or has access to somone that does, they can get in and reset it.
      If the is a bootable dos partition, you may be able to boot from a floppy disk(dos) and run a program called l0phtcrack. What it will do is capture the part of your registry that contains account information. Once you have that, you can run the part of the l0phtcrack program that cracks accounts and passwords. Depending on the “difficulty” of their password, you should be able to retrieve it. It may take a few minutes to a few days for the l0phtcrack program to crack it. Hope this helps, it happened to me and I had everything so “secure” I had to rebuild the machine…

      Bryan

      • #3792081

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3902796

      nt security

      by ron ·

      In reply to nt security

      Even if you do not have the ERD, you can still run a restore off of the three setup diskettes, and choose the option to rebuild/replace the SAM and Security settings during the setup procedure. When you are done with the repair of NT, it should finish with a blank Administrator password. So after you do this, logon to the Server as Administrator with no password and then you will have the access that you need. Don’t forget to change the passwords on the services that logon using an account, usuallt the Administrator account.

      • #3792082

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3902795

      nt security

      by willh ·

      In reply to nt security

      These are all good answers, I personally use the Winternals ERD Commander.

      Now, to prevent this from happening in the future: establish a policy to have one user login ON THE MACHINE’S User Manager (Not the domain’s). This “user” should be standard for ALL machines, and have a standard password. The “user” should be added to the Administrator’s group (and removed from the Users group). This use should match a user name on the domain, used for the same purpose.

      After the user is created, LOG IN,using that user name, to establish a cached profile.

      The user name and password should be locked up in the manager/SysAdmin’s custody and ONLY USED for opening up lost password situations.

      Will Harper, MCSE

      • #3792083

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3901428

      nt security

      by mark.thomson ·

      In reply to nt security

      If he has an ERD or if he can log on to the server at all then he can use a password crack utility to see the password.

      • #3792084

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3901382

      nt security

      by vickim ·

      In reply to nt security

      Re-install NT Server.

      • #3792085

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3901315

      nt security

      by evan tallas ·

      In reply to nt security

      There are the utilites, like l0phtcrack. But since the person can’t get into the server, they should use the repair utilities on the Installation CD. It’s by far one of the easiest ways of doing it. I’m assuming the person is a home user with almost no knowledge of NT as well.

      1. Boot the machine with either the NT install floppies or the bootable NT CD.

      2. Choose “Repair NT installation.”

      3. Select all of the boxes, it won’t hurt anything.

      4. The user probably doesn’t have a recent emergency repair disk, but if they do they will be prompted to insert it. Make sure it is very recent! If it is not, it could cause problems.

      5. There will be a selection for repairing the Administrative Account. They should select this option.

      6. Byfollowing this, a new Administrative account will be created. The old one will still be on the system, in x:\winnt\profiles\00Administator

      Tell the user to copy the files from the matching directories in 00Administrator to the new Administrator.

      • #3792086

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3901272

      nt security

      by james ·

      In reply to nt security

      A number of options exist….
      1. Use ERD Commander.
      2. Slip install a new version of NT into a temp directory, Copy the sam from the \system32\config folder to a floppy and run L0phtcrack on another machine.
      3. If the server is a member server with little local account config, you can carry out the following. Slip install as per point 2, then delete of rename the sam. reboot into the original installation. You will have to recreate any accounts including IIS service accounts ect. You will also have toadd the machine back to the domain. If the server is just a file or print server, this would bbe pretty painless. If the server is running Sql, IIS ect, Then this would not be such a great approach.
      Hope this helps.
      PS
      I own a copy of ERD commander Pro and totally recommend this to any support professional…

      James
      MCSE+I ect…

      • #3792087

        nt security

        by npressley ·

        In reply to nt security

        The question was auto-closed by TechRepublic

    • #3792033

      nt security

      by npressley ·

      In reply to nt security

      This question was auto closed due to inactivity

Viewing 17 reply threads