Re: Help - administrator locked out!

Hi Thee Chicago Wolf,

Firstly - thanks for your measured response - it would have been pretty easy
for you to unload on me (as I did on you), so your restraint is admirable -
thanks for that.

Second - thanks for your extremely helpful response. Looks like that is
probably going to be my only option. Personally I'd rather just leave the
darn thing as it is - the enterprise app on the server (DC) is still running,
the users can still log on (although they have to do it via a shared logon
now), and I really don't want to possibly break things altogether and get
stuck with restores etc etc.

Thirdly - yes, I am self-taught, but only up to a point. I used to be a real
computer head (like about 12-16 hours in front of my PC each day while I was
unemployed). I then started working as system support for Win95 and Office97,
with 1 Novell server. After a couple of years we changed to a whole bunch of
enterprise applications that ran on Windows 2000 server. As I had Windows
2000 on my PC at home, I became designated 'network co-ordinator'....not due
to any skills or anything - just because I had Win2K on my PC at home. That
was OK at first - I'd do my 8 hours at work, go home, sit in front of my PC
until after midnight and try to learn stuff. Eventually I got my MCP on Win2K
and Server. Then I had kids...........no longer could I spend 8 hours at home
on my PC every night. The other problem I faced is that we have people come
in and do all our network and software installing and setup. Once they have
everything in, they give us a bill and leave. They are not contracted to
provide ongoing support or operational asistance or anything like that - they
just install stuff and leave it to us. We get no training or anything like
that, we have no test lab. So suddenly we are running Windows 2003, Exchange
2003 and ISA 2006 and SQL Server and various other heavy duty apps. All
things that I haven't used previously - all things that the only 'practice
lab' I have is live production servers, and people expect me to know what is
going on and how to solve problems. I do the best I can using Google and
newsgroups, but it's a struggle. Such a struggle, in fact, that I'd really
rather not be doing it right now (or at anytime into the future, infact).
Most of the time my job involves answering the phone to calls along the lines
of 'my pc doesnt work'. 'Is it plugged in?', 'I dont know', so I have to go
and plug someone's computer in for them. (This isn't an exaggeration - I had
one of these calls yesterday).

I don't pretend that I'm some sort of super administrator or anything. As
you can tell from my previous post, it would be more accurate to describe me
as 'extremely ordinary administrator', or even 'administrator for not much
longer'. I agree it's my practices that have got me into trouble in the first
place......I need to take a long hard look at both them and myself!

Anyway, enough of my troubles. Thanks again for your help. I really do
appreciate your response.

"Thee Chicago Wolf" wrote:

So, sorry to have caused you so much offence "Thee Chicago Wolf" (is that a
spelling error - should it be 'three' or maybe 'the' - who really cares?). If
I knew all the answers to the questions I need to ask then there would be no
need for places like this, would there? If it is so offensive to to you to
find out that people do not have the same encyclopedic knowledge as you
apparently believe you have, then why bother hanging around here? And you are
absolutely correct about my choice of career - I live in a very small town, I
was hired 10 years ago when Windows 95 and Office 97 are all the rage and we
had 1 server. We now have 20 servers, 6 remote sites about 400 devices on the
network, Office 2003, Exchange Active Directory etc etc. During the time all
these systems have been installed I have received exactly zero training from
my employer......so what do you suggest I do? Spend 8 hours a day at work,
then another 8 at home every night sitting in front of my computer trying to
learn all this stuff? Or maybe I should just resign......there aren't any
more jobs around here, and my kids would starve.....but at least these forums
would be a nicer place for you, wouldn't they?

It's more to do with people coming in to social engineer their way
around Administrative passwords to get into systems they ought not be
getting into than it is anything so no offense taken and sorry if it
was a curt response. It always sets off flags with me when people ask
question in the form that you did so I usually err on the side of some
13 year old trying figure out how to break in to something.

The Administrator account shouldn't have it's password set to expire
for any reason because you can find yourself in this kind of position
when a policy is set to expire and, like you, the Admin goes away for
a period of time and then whammo, you're locked out and can't get back
into your system. Creating a backup account to get in seems to be what
you did in your original post but it didn't help.

I'm not knocking your career choice but it's your practices that got
you into this trouble. You're self taught and haven't had training so
this is a byproduct of perhaps not knowing the "Microsoft way of doing
things" and their best practices. I don't always agree with them but
there they are. If you really want a decent primer on practices and
some decent server 2003 reading, check out Mark Minasi's "Mastering
Windows Server 2003 Upgrade Edition for SP1 and R2." I assume he'll
eventually update it for SP2 but as of recently, that is the current
edition.

I don't know your environment or who you run your shop but delegating
a secondary Administrator to keep an eye on things would have been
prudent. We don't always want to give Joe Blow Admin rights but if you
set up the policy to have password expiry occur at certain lengths of
time, you have only yourself to kick in the *** for that. You live
and you learn but you also have to know your environment and have
secondary support in your absence.

So here's what you can do. Get yourself the Offline NT Password Editor
(google search that phrase). It's an zippped archive containing an ISO
which you burn and then boot from the CD-Rom (look for cd070927.zip
(~3MB)). It's a Linux tool to blank out the Admin password so you can
get back in and, for lack of a better phrase, save your ass.

I'm telling this to help you as you genuinely seem to have this need
but it is a very dangerous tool because of it very nature to let
ANYONE break into a system or lock and Admin OUT of a system they have
physical access to. That's why I prefer to let people learn that hard
way that when you do it to yourself, you've got to suffer the
consequences.

This tool is not a crutch and should only be used for emergencies such
as yours, never to save one's *** from a locked-out account due to a
policy setting. Better Administrative practices will keep that from
happening. Good luck and let me know how it goes.

- Thee Chicago Wolf

.