I did a silly....I changed the default domain policy and then locked out the only domain administrator account I had. I'd a lot of changes made to it and didn't want to have to redo it so dropped in ERD Commander 6 to reset the account. BUT its doesn't work on SBS 2011!
So what next, some googles, some posting into the minasi.com forum and I got a plan of sorts all culminating in the following steps to unlock the Domain Adminsitrator account on a SBS 2011 box.
Assuming you have the DSRM password, or if not a method to reset the local administrator password try the following.
Boot into DSRM
Then enable DSRM password to login while AD is running.
Edit the registry as follows;
HKLM\System\CurrentControlSet\Control\LSA\DsrmLogonBehavior
Default is set to 1
Change to 2 to allow DSRM Administrator to logon when AD is running.
0 is DSRM Administrator can logon only in DSRM.
Then get a copy of the Windows 2K3 Resource Kit tools copy the tools folder to the C Drive of the SBS Server. Use the following to add a service called EnableAccount
instsrv EnableAccount c:\tools\srvany.exe
Edit - One of the lads on minasi.com has mentioned that it may be possible to use sc create as opposed to loading the W2K3 Resource Kit tools. The syntax would be
sc create EnableService
I have not tested this, but I don't see a problem
Then open the registry again
Navigate to our newly created service:
HKLM\SYSTEM\CurrentControlSet\Services\EnableAccount
Create a key called Parameters
Inside the new key, create a new string value with name Application and set it to C:\reset.cmd
Open notepad and put in the following line to get an output of all accounts.
dsquery user -name * DC=SBS,DC=local > c:\accounts.txt your domain name will be different (DC=domainname,DC=local/loc/ etc)
Save the notepad file as reset.cmd and the file type as all types.
Now reboot the server.
Login as the DSRM user and open the accounts.txt
Get the full account domain admin name you have locked out
"CN=ABC Admin,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=abcsbs,DC=local"
and put it into the following dsmod queries in the reset.cmd file.
dsmod user ......... -disabled no
dsmod user ......... -pwd Pa$$w0rd
dsmod user ......... -pwdneverexpires yes
In my case something along these lines
dsmod user "CN=ABC Admin,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=abcsbs,DC=local" -disabled no
dsmod user "CN=ABC Admin,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=abcsbs,DC=local" -pwd Pa$$w0rd (In my case here, Pa$$w0rd)
dsmod user "CN=ABCC Admin,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=abcsbs,DC=local" -pwdneverexpires yes
Save the reset.cmd file and restart the enableaccount service in services.
Logoff and try logging back into the domain, remember to use your SBS domain name and user account as opposed to the DSRM which may be different.
No comments:
Post a Comment