Re: Help - administrator locked out!

1 more question (showing my ignorance here)....I know when a machine is made
a DC the local administrator account 'goes away'. When you boot into safe
mode, that account is available again, isn't it? If this is the case, I am
pretty sure I should be able to remember the local admin password.

Also, I didn't actually create any password policies or anything like that.
It's just a bog standard W2K3 DC installation. I read somewhere else that
normal password policies/restrictions do not apply to administrator accounts,
but even if they did, shouldn't all the users, as well as the administrator
still be getting the option to change the password, rather than just a
'username/domain is incorrect message'?

"Thee Chicago Wolf" wrote:

So, sorry to have caused you so much offence "Thee Chicago Wolf" (is that a
spelling error - should it be 'three' or maybe 'the' - who really cares?). If
I knew all the answers to the questions I need to ask then there would be no
need for places like this, would there? If it is so offensive to to you to
find out that people do not have the same encyclopedic knowledge as you
apparently believe you have, then why bother hanging around here? And you are
absolutely correct about my choice of career - I live in a very small town, I
was hired 10 years ago when Windows 95 and Office 97 are all the rage and we
had 1 server. We now have 20 servers, 6 remote sites about 400 devices on the
network, Office 2003, Exchange Active Directory etc etc. During the time all
these systems have been installed I have received exactly zero training from
my employer......so what do you suggest I do? Spend 8 hours a day at work,
then another 8 at home every night sitting in front of my computer trying to
learn all this stuff? Or maybe I should just resign......there aren't any
more jobs around here, and my kids would starve.....but at least these forums
would be a nicer place for you, wouldn't they?

It's more to do with people coming in to social engineer their way
around Administrative passwords to get into systems they ought not be
getting into than it is anything so no offense taken and sorry if it
was a curt response. It always sets off flags with me when people ask
question in the form that you did so I usually err on the side of some
13 year old trying figure out how to break in to something.

The Administrator account shouldn't have it's password set to expire
for any reason because you can find yourself in this kind of position
when a policy is set to expire and, like you, the Admin goes away for
a period of time and then whammo, you're locked out and can't get back
into your system. Creating a backup account to get in seems to be what
you did in your original post but it didn't help.

I'm not knocking your career choice but it's your practices that got
you into this trouble. You're self taught and haven't had training so
this is a byproduct of perhaps not knowing the "Microsoft way of doing
things" and their best practices. I don't always agree with them but
there they are. If you really want a decent primer on practices and
some decent server 2003 reading, check out Mark Minasi's "Mastering
Windows Server 2003 Upgrade Edition for SP1 and R2." I assume he'll
eventually update it for SP2 but as of recently, that is the current
edition.

I don't know your environment or who you run your shop but delegating
a secondary Administrator to keep an eye on things would have been
prudent. We don't always want to give Joe Blow Admin rights but if you
set up the policy to have password expiry occur at certain lengths of
time, you have only yourself to kick in the *** for that. You live
and you learn but you also have to know your environment and have
secondary support in your absence.

So here's what you can do. Get yourself the Offline NT Password Editor
(google search that phrase). It's an zippped archive containing an ISO
which you burn and then boot from the CD-Rom (look for cd070927.zip
(~3MB)). It's a Linux tool to blank out the Admin password so you can
get back in and, for lack of a better phrase, save your ass.

I'm telling this to help you as you genuinely seem to have this need
but it is a very dangerous tool because of it very nature to let
ANYONE break into a system or lock and Admin OUT of a system they have
physical access to. That's why I prefer to let people learn that hard
way that when you do it to yourself, you've got to suffer the
consequences.

This tool is not a crutch and should only be used for emergencies such
as yours, never to save one's *** from a locked-out account due to a
policy setting. Better Administrative practices will keep that from
happening. Good luck and let me know how it goes.

- Thee Chicago Wolf

.