☣️ Resetting a local account password

If you have a server that is in the domain, and you are unable to log into that server due to a forgotten password, or a primary domain relationship failure - this requires you to know the local account on the server.

Before you know how to fix it, you need to know where the problem is located and the thought process, but if you only want the solution then its at the bottom of this post.

Recovery ❤️‍🩹 Methodology

The usual methodology for fixing this is to use a program like ERD, if your server is stuck in the past with the dinosaurs πŸ¦• 

If your server is something of the Century then you may have come across a utility called DaRT - this is the desktop and recovery toolset and is provided to most organisations that have software assurance.

The purpose of this software is to let you do detailed and complicated operations on the operating system, without knowing the password to access it, it goes without saying due to the existence of tools like this, the tool itself should be passed were protected and you should have your USB ports and boot menus lockdown on your servers.

Bitlocker and DaRT

when using DaRT you need to remember that it’s fully integrated with Blocker, which means it fully supports it, Therefore, if someone has physical access to your device, you can still access the operating system with the recovery partition - this is true if you use SSC encryption and or ADE encryption

Bitlocker encryption only kicks in when something physical changes on The device, Remember, all DaRT does is mount recovery partition, and try to access your Windows partition from within that recovery partition.

This is a good lesson in making sure your USB ports are locked down, Your boot menu is password-protected, so someone cannot boot off the USB drive and bypass your own security - DaRT He’s not intruding on the operating system because it’s a official Microsoft product!

SAN/Remote Disk Booting

if you still have your operating system booting off a remote disk, Unfortunately, that is not done in this century, Usually the remote disk or the SAN will provide additional data disks that compliment the local storage drive.

however, if you do boot the operating system from A remote disk, Which would only be ever usually done with servers, That the local partition which would usually usually be served by an array controller Would either be empty or it would mistakenly have its own operating system on the array controller - However, with a program like DaRT that could end up adding to the confusion.

ERD should not be used ⚠️

if you have an operating system that supports ERD commander, then you are talking about an operating system of Windows server 2003 or before, Or in the speak of client, operating systems, that will be Windows XP or before.

ERD He’s not really a product for handling remote discs or for that matter bitlocker drives - Blocker wasn’t even out with ERD commander so that definitely won’t work, However, if you have a remote disk that houses, the Operating system When you boot up ERD, it will tell you there are no volumes available that have windows on them, This is a specially the fact if you’re using A remote disk with a new operating system, Say anything from the century.

Supplemental drivers

When Windows NT4 both the workstation and the server were the mainstream operating systems and their Counterparts were Windows 95 and Windows 98, then, one of the actions you needed to Complete was supplementing drivers that would then support the devices attached to your computer.

During the build process, this was known as slipstreaming drivers, This is where you told the Windows operating system, how to access devices it would otherwise be unable to access by slipstreaming drivers into the bootable ISO.

This was where the “have disk” Option appeared, This would allow you to add additional drivers to the set up process which would enable the computer to talk to non-standard device drivers

However, after server 2008 or Windows 7, lots of the drivers were included by default, Which killed the whole point of slipstreaming drivers For common devices, You only really needed to worry about additional device drivers for specialist or custom hardware, Which brings me perfectly onto the next point….

Windows Password Recovery ISO

this is a very handy utility that will scan for Windows Partitions and let you reset the password of those computer accounts by manipulating the hash tokens, this would usually be a Linux distribution that would boot up, and then Scan for partitions

Now, if you go back to my point earlier about the remote disk and the array controller drives, then, out of the box applications, like this are designed to talk to home-based computers that don’t have anything jazzy like array controllers, or remote disks

this means the utilities that work very well in a homes setting will fail to see the disk Completely on a server that has special requirements or in the instance here reads the local Drive that doesn’t have anything on it and then tells you it can’t mount windows because it doesn’t find a copy of of windows on that particular drive.

Linux Recovery Supplemental drivers

If you wish for a Linux based recovery platform to reset your Windows password, then you will absolutely need to use the option to manually load drivers for your particular server so it can then see the drive that has windows located on it.

This will require you have have the relevent device drivers that will tell Linux how to access you drives and devices.

DaRT 🎯 - Bring out the magic.

So ERD does not always work, And the recovery Linux based bootable ISO’s, don’t always see every single disk in a corporate setting, So obviously, this leads us onto using DaRT - What could possibly go wrong?

unfortunately not, There are a couple of different versions of DaRT that have been released over the years but the different flavours go something like this:

DaRT 7 : Below Server 2012 R2/Windows 7
DaRT 8:  Above Server 2012 R2/Windows 8
DaRT 10 : Above Server 2019/ Windows 10

This seems to be how it works, It seems to be based on the kernel that the server is running, I have also included the desktop version for people not in a server setting.

However, you may be tempted or inclined to just use the Latest version on the server you were trying to recover, but based on the operating system, that may not work, So in this example, we have a server running server 2008 with a remote disk, So we would choose the recovery to set option A, This is in the form of an ISO - So you would need to boot the server of this image

You need to select the option as shown below to launch the Recovery toolset…

This will show you a big list of options above and beyond the command prompt to recover your Server, this will look something like this…..

Excellent all good so far, this should be over in a couple of moments, obviously, the option we want is the option for Locksmith, this will let us reset the password to the local computer which is exactly The intention.

Confidently click the Locksmith button, and all will be fixed in a matter of seconds, except wait a moment that doesn’t seem to be working….

Thwarted by bears🐻 We seem to have an application error in the Locksmith application, This is not good that is going to put a massive dent on our response. Time to get this server back online, However, upon closer inspection of the other options, we noticed for all the windows based components rather than getting the response. We are getting an error, Which means the particularly handy toolset is not very handy at all.

DaRT : Try the latest version

The corrective version of the recovery tool set doesn’t appear to be working, so why don’t we just go all in and get the one designed for server 2019 and above, so you mount this particular ISO and the windows 10 logo appears on your screen, and it looks like this version is working

10 minutes ago by and you still have the Windows logo on your screen, however, you’ve noticed the Spinney circle that should accompany the windows logo is not appearing, should I give it some more time?

Well actually, The reason it’s not booting is because it remapping your boot manager to the local disk that has nothing on it, Because one of the new things in the latest version of DaRT Is to automatically try to remediate problems without letting you know, But you won’t know this has happened until you reboot yourself because you’ve got bored of waiting.

Boot Manager all rewritten

you give the shiny new addition of the recovery tool, a good, 30 minutes and then you decide to reboot your server only to find that when it tries to boot off the Drive that worked before you now get an error saying winload.exe Could not be found, and to run the repair on your operating system.

so you started in a place you wanted to be and now you’ve dug yourself a hole that’s made it worse, Interestingly, the fix for this is, you can manually re-link the boot loader the correct partition, or you can mount the previous version of DaRt that didn’t work because of the application errors, and that will immediately tell you it’s found a problem with the boot loader, and it would like to correct it - Which it will successfully do when you give it permission to restart.

just to put things in perspective, the new version of DaRT Incorrectly rewrote the boot file to the wrong Partition, The older version of DaRT Immediately noticed, and asked if you would like to fix the Boot manager - I guess that’s why they say don’t use newer versions on older operating systems πŸ‘€

Rabbit πŸ‡ Hole

so what we established is, we can’t use ERD because we’re living in this century without the dinosaurs πŸ¦–, We also cannot use the correct version of DaRT Because that doesn’t let us do what is required due to the application errors, and we can’t use the latest version of DaRT Because that fails the boot and quietly rewrites the boot Manager to the wrong partition?

All hope is lost 😑 

Actually, no, hope he’s not lost because for the solution you need to think outside the box, And the outside box thinking calls me we are relying on a recovery tool set to do the majority of the work for us, But that does not need to be the case.

For 95% of the operations you need to do with windows then DaRT Is absolutely the right tool to do the job, However, for the 5% of problems where you need to think outside the box You actually have a way of getting this recovered without any Recovery toolsets.

Reset Password with installation ISO, kinda

Yes, you read that right however for this to work you need to match the version of the Windows on the ISO with the version of Windows installed and boot of that ISO, for backwards computability I have chosen Server 2008 however this applies to all the newer Windows platforms as well.

Boot of the ISO via USB or iLO (remote access for servers) and you get here, choose a language:

Then you want to choose "Repair your computer" as below:

This will then show you the detected Windows OS, here we see Server 2008 R2 and the drive letter which in the case is D:

You then need to choose Command Prompt as below:

That will put you in the X: which is the installation drive, you need to change this to drive D: as that is the drive letter from earlier on then you need to move a file and then copy it using the below:

cd windows\system32
move utilman.exe untilman.bak
copy cmd.exe untilman.exe

Note : This command replaces the accessibility button with the command prompt this will need to be changed back after your server is fixed.

Boot device normally

Now you have updated those files boot the server normally and when on the login screen it should look like this, do not login but press the accessibility icon shown below:

You will now see a command prompt as below, running as the system account:

If you are not sure of the username for the local account as it should not be "Administrator" then run the command "net user" to find all the local accounts

In this example we will use the "Guest" account, so in order to reset the password the syntax is like this:

net user <username> <new password>

This is shown below:

If you get an error about not being a member of the "remote desktop users" then for the example above you can run this command to fix that, replace <username> with the actual username:

net localgroup "Remote Desktop Users" <username> /add

Once you have logged in, please ensure you issue these commands:

dell utilman.exe 
ren untilman.bak untilman.exe

Now you have reset the password for the account this means you can one again login to the server.
Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„