Re: Help - administrator locked out!

But wait.....there's more! And the reason for my frustrations will become
evident.

Just to recap, here's the WHOLE story so far.

6 months ago we decided to install a domain controller and a small domain in
one of our remote offices. As I mentioned, we normally have a third party do
all our server building etc, but as this was a small network(1 server, 5
users) the job was handed to me. In did a bog-standard install of a Windows
2003 DC, created all the users, put the server in, and tested all the user
accounts. It was all going swimmingly. The next step was to hand the machine
over to ANOTHER 3rd party. They were going to install an enterprise
application on the server, on the workstations and train the staff. They had
requested an administrator logon to be able to complete this work. As they
would need a fair degree of freedom in setting things up, I gave them a
domain admin account. They arrived onsite and spent 4 days doing their thing.

The day after they had finished I got a call from the users at this site
telling me this enterprise app was not working. I went to the site. What I
discovered was rather dismaying - the third party had told all the users to
forget their normal user accounts that they had been using for a couple of
weeks, and they were all now to log on using the domain admin account! Not
only that, but he had helpfully put a sticky note on each PC with the
password! These are PC's that are in easily-accessible public places. One of
them is even attached to a cash drawer! Not only did this third party not
consider this any sort of security risk, the manager of this site also
considered it a fine practice!

So I start investigating why this app wasn't working. It seems the 3rd party
had installed the app on the server and 1 PC. He had left no instructions for
the people at the site, or for me, so I spent the next hour on the phone
finding out how to get ths thing working, and then another couple of hours
setting up each workstation.

So what does my boss do about this? Maybe not pay their bill? Maybe charge
them for the time I spent doing their work? Nope.....nothing.....why should
she care - she has a lackey (me) that can waste my time doing that sort of
stuff.

Anyway, fast forward about 6 months. I'm on holiday. I get a call from the
boss. "What's the password on that server?". I tell her. "OK....see you in 3
weeks". 3 weeks later I get to work. The story I get is this : The users at
this remote site began getting 'change your password' messages while I was on
leave. All but 2 of the users waited until their password had actually
reached expiry before letting us know ('us' being my colleagues who weren't
on leave), and even then, rather than just changing their passwords they just
rang the help desk to say 'we cant get in. we had been getting messages to
change our passwords, but we didnt'. Why they didn't is anyone's guess, but
there you go. So the boss tells me that not even the administrator can log on
(which is right) and can I research the subject and see if I can fix things.
She then went away for 2 days.

So I started investigating. What I found was this - all the accounts apart
from 2 could not log on. My colleagues had actually attended the site, but
had not been able to fix the problem. My colleagues had also received
detailed instructions from our 3rd party network/hardware people as to how to
solve this problem (the old boot into DSR more, install srvany etc etc), but
for some reason had not been able to follow these instructions, and also did
not feel the need to tell me that they had the info that I had just been told
to go and find on the net. Even more frustrating, one of my colleagues
apparently had logged on successfully into safe mode (so at least our local
admin password still works), but he 'didnt know how he had done it', and
'couldnt remember how to do it again'......but I still hadn't been told this,
so at this stage I headed for this forum, and posted my post.

So hopefully Wolf, you can see why my frustration boiled over when I read
your response. Not only have I been sold an absolute dump by my colleagues,
but now people thought I was some sort of script kiddie! To be quite honest
it never occurred to me that my post could be construed in that way.

Anyway, I'll be off to this site today. Hopefully the local admin password
still works and I will be able to get things functioning again.......I'll let
you know of success or otherwise.



"Thee Chicago Wolf" wrote:

1 more question (showing my ignorance here)....I know when a machine is made
a DC the local administrator account 'goes away'. When you boot into safe
mode, that account is available again, isn't it? If this is the case, I am
pretty sure I should be able to remember the local admin password.

Also, I didn't actually create any password policies or anything like that.
It's just a bog standard W2K3 DC installation. I read somewhere else that
normal password policies/restrictions do not apply to administrator accounts,
but even if they did, shouldn't all the users, as well as the administrator
still be getting the option to change the password, rather than just a
'username/domain is incorrect message'?

I believe it becomes a Domain Admin account but someone who's more
intimate with that level of expertise could answer accurately. It is
part of the tiered hierarchy that was introduced in 2003 server and, I
guess, 2000 server for all intents and purposes. Re-ask this specific
question outside this conversation as I'm sure someone will respond
quick about it. There's always Google! Cheers.

- Thee Chicago Wolf

.

Relevant Pages

  • administrator rights
    ... I think you are talking about the domain admin account ... Is it a production server? ... >still logged on, but it won't let me open Group Policy, ...
    (microsoft.public.win2000.security)
  • Removed user cant recieve mail from server emails
    ... Our company runs small business server 2003 ... for just 6 users and our third party email accounts are set up through ... user needed removing from the server so a basic Pop3 account could be ... user is successfully sending and recieving mail from the third party ...
    (microsoft.public.windows.server.sbs)
  • SSO Configuration error: Unspecified
    ... I am trying to configure SSO on job server in a medium server farm. ... I configured to use a domain admin account for all SSO accounts as specified ... This account has permissions on SQL also. ...
    (microsoft.public.sharepoint.portalserver)
  • Re: Domain Admin Issue
    ... I added a windows 2008 server yesterday to my 2003SBS domain. ... could not log into the ws8 server with the domain administrator account. ... to the terminal server with the domain admin account either. ... you say you created a user and setup DA level permissions and everything ...
    (microsoft.public.windows.server.sbs)
  • Re: Office 2003 Pro installation failed
    ... machines and my domain admin account has no roaming profile. ... installation also with an other domain account from my colleague, ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)