|
-
January 8th, 2002, 09:04 PM
#1
Banned
 DC local admin password change
Once AD is installed on a 2k server, by design you can no longer change the local administrators password through local users in the computer management snap-in. Now that is fine and dandy, as you will typically login to a DC with a domain account. But what happens if it hits the fan, and you take the server into AD restore mode, without knowing the local admin password?
Alternate scenario: lets say you have a few DC's, and you want to synchronize the local admin passwords. If you know the password, you can use this method: <a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q239803" target="_blank">How to Change the Recovery Console Administrator Password on a Domain Controller (Q239803)</a> , but if you don’t know it, you are in trouble. The only option I can see is to demote the DC by removing AD; during the process you are prompted for a new local password as part of a successful demotion. You could then run DCpromo to add AD. But that can't be feasible for every situation. Additionally, in order to have a successful demotion a lot of things can stand in your way; for instance:
<a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q255504" target="_blank">Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller (Q255504)</a>
<a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q216498" target="_blank">How to Remove Data in the Active Directory After an Unsuccessful Domain Controller Demotion (Q216498)</a>
I had to do both of these when I took my DC, (a Global catalog, but not the first) out of a friend’s tree, and decided to demote it. I didn’t forget the password, I just wanted to change the domain name and practice demoting and promoting; in the process I began to ponder the “what ifs”, hence my posting.
Anyone with some ideas, please feel free...
-
January 10th, 2002, 02:52 AM
#2
Registered User
Since the local administrator password is heald in the local SAM database, a <a href="http://www.winternals.com" target="_blank">www.winternals.com</a> tool could probably be used to change them, but that is not the "right" way...
Matt
"If you have been tempted into evil, fly from it. It is not falling into the water, but lying in it, that drowns"
-
January 16th, 2002, 05:45 PM
#3
I hate to disappoint you, but the AD repair admin password can be set differently than the original local admin password.
The truth is out there, you just need to decrypt it.
-
January 17th, 2002, 09:08 AM
#4
Banned
[quote]Originally posted by celeste9519:
<strong>I hate to disappoint you, but the AD repair admin password can be set differently than the original local admin password.</strong><hr></blockquote>
I just went into Directory Services restore mode and reset the local admin password. Are you saying that this is different from the Directory Services restore admin password? I beg to differ, but am open to convincing...
See, changing the local password has no effect on the Domain Administrator user account. Is it possible you had these two confused?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
Bookmarks