Administrator password unavailable - Small Business Server
Philip Herlihy
from my competitors. Among other problems, we have a Small Business
Server which is in the "locked" state, and we have no Administrator
password available. Apparently my immediate predecessor is dealing with
a grave family illness and has not responded to phonecalls or emails
over several weeks.
I'll declare now (as I've declared to my client) that I'm not very
familiar with SBS - I'll have to set one up on a test machine and study
it as soon as get the chance. The login screen announces itself as
"Windows Server 2003 for Small Business Server" so I can't even be sure
which version we have.
The office has seven PCs in the domain. In the very limited time I have
to look at this problem I've tried logging on as one of the "normal"
domain users - this account does not have Administrator status, and it's
unlikely that any of the other accounts would have greater privileges.
I've tried connecting via Remote Desktop (which has clearly been used in
the past) but it appears that only the Administrator account has the
necessary privileges. I've also tried logging on remotely via
Sysinternals' psexec utility, but this is blocked.
At the moment the server is continuing to provide SQL Server services to
a line-of-business application and I've managed to provide them with
access from Outlook to a POP3 server but it's clear that this is a
disaster looming. I'm assuming that SBS isn't readily "hacked". I do
have physical access to the server and could, for example, dismantle it
if that would help! The only alternative seems to be to put pressure on
my predecessor which everyone is loath to consider.
Suggestions already received:
Install a new copy of SBS over the top. However, I very much doubt my
client will be able to produce the original CDs and keys, and the only copy
I have is an Action Pack version, which I guess will produce licensing and
activation problems.
Reset the password using this utility:
http://home.eunet.no/pnordahl/ntpasswd/bootdisk.html
I very much doubt that encryption has been used by this client, and I
recognise that data loss will be irrecoverable if I turn out to be wrong!
I'll be grateful for any advice.
--
PH, London
===========
Merv Porter [SBS-MVP]
the normal SBS 2003 componetns (Exchange, Sharepoint, ISA, etc.). This is
called: "Windows Server 2003 for Small Business Server". Basically, this
is a cheaper version of Windows 2003 with limitations of 15 CALs maximum,
must be the only domain controller, must purchase/use SBS2003 CALs, and a
few other restrictions.
The full SBS 2003 is called: Windows Small Business Server 2003.
For password recovery....
NTAccess
($70.00 US)
http://shop.sunbelt-software.com/product.cfm?name=NTAccess
OR,
----------------------------------------------
Domain Administrator (and/or Local Administrator) Password Recovery Process
(free, but more work)
-- Should work for "Windows Server 2003 for Small Business Server"
Operating Systems:
Windows 2000
Windows XP
Windows 2003
I. DSRM (Directory Services Restore Mode)
If the domain Administrator password was changed from the Server Management
console, the local Administrator password should have remained unchanged
(SBS 2003 initially syncs the Domain Administrator and (DSRM) Local
Administrator passwords). If so, the procedure below should let you change
the Domain Administrator password and get you access to your server (you can
skip the first steps if the [DSRM] Local Administrator password has not been
changed by anyone).
II. Change Domain Administrator Password Procedure
Reference...
http://forum.s-t-d.org/viewtopic.php?pid=13450
To recover a lost/forgotten AD Domain Admin password:
1. If Needed: Boot DC with Knoppix S-T-D (see Part III below)
2. If Needed: Reset Local Administrator Password (chntpwd) - used for DSRM
access
3. Boot using F8 - Directory Services Restore Mode
4. Logon with Local Administrator username/password
5. Launch Regedit & navigate to:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Spooler
6. Change ImagePath value to:
c:\windows\system32\cmd.exe /k net user administrator pAssword /domain
7. Reboot and wait for the error from the print spooler failure
8. Logon with your newly set Administrator password (pAssword - case
sensitive)
9. Undo registry setting in step 6 or printing will not work.
10. Start Print Spooler Service
11. If desired, reset Domain Administrator password using Console
III. KNOPPIX Change Local Administrator Password Procedure
If you do not know the (DSRM) Local Administrator password for the server or
you suspect that it has been changed, go to:
http://mirror.cs.vt.edu/pub/Knoppix-STD/
download the .iso and create the CD. Then follow the instructions at:
http://www.astahost.com/how-reset-nt-password-using-knoppix-std-t8716.html
to reset the (DSRM) local Administrator account password
(using Knoppix, the username "Administrator" is case sensitive, so if you
see a cap letter on the "A", take note to type it that way when you specify
the account to reset the password).
The instructions at this web site are for Windows 2000, so when you get to
the part that says:
Type: cd /mnt/hda2/WINNT/system32/config (Win2000)
Instead use:
Type: cd /mnt/hda2/WINDOWS/system32/config) (WinXP, Win2003)
--------------------------------------------------------
KNOPPIX STEPS - CONDENSED
1. Boot on Knoppix CD
2. Right-click on the desktop and select XShells>Root Aterm
3. Type: cat /etc/fstab
4. Type: mount -o rw /dev/hda2 /mnt/hda2
("/dev/hda2 /mnt/hda2 ntfs" is the target hard drive; it may be "hda1" or
another designation)
5. Type: cd /mnt/hda2/WINNT/system32/config (Win2000)
or, Type: cd /mnt/hda2/WINDOWS/system32/config (WinXP, Win2003)
6. Type: ls -l (both instances are lower case "L")
7. Type: chntpw
8. Type: chntpw -l sam system security
9. Type: chntpw -u Administrator sam system security
(case sensitive, so use uppercase "A")
10. Do you really wish to disable SYSKEY? (y/n) [n] n
11. Please enter new password: *
(* = Blank Password; you can specify a secure one)
12. Do you really wish to change it? (y/n) [n] y
13. Write hive files? (y/n) [n] : y
14. From the desktop right-click > reboot
(or, if problematic, just pull the plug and reboot the machine)
IV. RESYNCING DSRM and Domain Administrator Passwords
SBS 2003 syncs the domain administrator password with the local
administrator (DSRM) password when you install it. If you want to resync
it, use the KB article below to reset the DSRM password to match the new
Domain Administrator password (not necessary, but for disaster recovery you
should record the DSRM password somewhere if it's different from the Domain
Administrator password)
How To Reset the Directory Services Restore Mode Administrator Account
Password in Windows Server 2003
http://support.microsoft.com/kb/322672
----------------------------------------------
--
Merv Porter [SBS-MVP]
============================
"Philip Herlihy" <thiswillb...@you.com> wrote in message
news:eu8as5$pqm$1$830f...@news.demon.co.uk...
Joe
> You may have a version of Small Business Server that does not contain any of
> the normal SBS 2003 componetns (Exchange, Sharepoint, ISA, etc.). This is
> called: "Windows Server 2003 for Small Business Server". Basically, this
> is a cheaper version of Windows 2003 with limitations of 15 CALs maximum,
> must be the only domain controller, must purchase/use SBS2003 CALs, and a
> few other restrictions.
Merv, how many times have you seen an SBS login screen? Look more
closely next time, as SBS is built on the cut-down version, and
that's what comes up on the login screen.
Merv Porter [SBS-MVP]
and confiscation of my Bart PE disaster recovery CD. :-)
--
Merv Porter [SBS-MVP]
============================
"Joe" <j...@jretrading.com> wrote in message
news:%23jUJ517...@TK2MSFTNGP02.phx.gbl...
Philip Herlihy
The server is chugging along happily in its inviolate state, which is
just as well as there won't be an opportunity to try any of this for
about ten days! I'll study very carefully everything you've suggested
and I'll come back eventually and let you know how I got on.
Thanks!
Phil, London
SuperGumby [SBS MVP]
http://companyweb, do you get CompanyWeb?
(if not, ping companyweb, does it resolve?)
If it's SBS2003 and fully installed/working you should get positive results,
negative results means it's either Fresno (Windows Server for Small Business
Server) or was not fully installed.
From any PC. start, run, mmc, file, add/remove snapin, add, group policy
management, browse to AD and it should list a number of policies starting
'Small Business Server...', I'm pretty sure Fresno won't have these.
There'll also be a branch to MyBusiness.dom.local, almost certain Fresno
won't have this one. If you try to open the policies you will probably be
denied but their existence gives us a better idea of the state of the
server.
You _might_ try making a minor change to group policy using one of the
business principal's accounts, if you succeed it may be that that user has
been given elevated rights and can change the Domain Admin password. 'net
help user' or via mmc if we can identify an account with elevated
privelages.
"Philip Herlihy" <thiswillb...@you.com> wrote in message
news:eu95np$f5j$1$8302...@news.demon.co.uk...
Philip Herlihy
PCs that an exchange server used to exist on a machine of that name, but
it doesn't respond to connection attempts - I haven't yet tried the
telnet trick (when I last messed with Exchange version 5.5 was brand new
and connection was via RPC if I recall correctly!). I'll also try the
companyweb and mmc dodges.
Is that the UK Gumby or the US one? (The UK one involves a handkerchief
as essential apparel ...)
:-)
Phil
Philip Herlihy
I do get CompanyWeb coming up,
I do see policies starting "Small Business Server...",
I do see MyBusiness.dom,
I do get a response from Exchange using telnet 25
So, we now know that it's full SBS. I can't access any of the Group
Policy objects, and I've since learned that there is positive reason to
believe that my predecessor removed all admin privileges and changed the
admin password before disappearing. (Phew!).
Thanks for your help. I'll be dismantling the machine to image it
(don't have server-licensed image software!) and I'll try one of the
terrifying methods outlined in this thread when I next get to the
machine in about a week's time.
Phil, London
SuperGumby [SBS MVP]
and if I was the business owner I'd be looking to sue someone. No reason, no
circumstances for locking the owner out.
I'd try the tools, probably Knoppix 1st.
"Philip Herlihy" <thiswillb...@you.com> wrote in message
news:eudck6$s84$1$8300...@news.demon.co.uk...