Friday, 25 March 2011

SBS 2011 and a locked out Domain Administrator

I did a silly....I changed the default domain policy and then locked out the only domain administrator account I had. I'd a lot of changes made to it and didn't want to have to redo it so dropped in ERD Commander 6 to reset the account. BUT its doesn't work on SBS 2011!

So what next, some googles, some posting into the forum and I got a plan of sorts all culminating in the following steps to unlock the Domain Adminsitrator account on a SBS 2011 box.
Assuming you have the DSRM password, or if not a method to reset the local administrator password try the following.

Boot into DSRM

Then enable DSRM password to login while AD is running.

Edit the registry as follows;


Default is set to 1
Change to 2 to allow DSRM Administrator to logon when AD is running.
0 is DSRM Administrator can logon only in DSRM.

Then get a copy of the Windows 2K3 Resource Kit tools copy the tools folder to the C Drive of the SBS Server. Use the following to add a service called EnableAccount
instsrv EnableAccount c:\tools\srvany.exe

Edit - One of the lads on has mentioned that it may be possible to use sc create as opposed to loading the W2K3 Resource Kit tools. The syntax would be
sc create EnableService
I have not tested this, but I don't see a problem

Then open the registry again
Navigate to our newly created service:
Create a key called Parameters
Inside the new key, create a new string value with name Application and set it to C:\reset.cmd

Open notepad and put in the following line to get an output of all accounts.

dsquery user -name * DC=SBS,DC=local > c:\accounts.txt     your domain name will be different (DC=domainname,DC=local/loc/ etc)

Save the notepad file as reset.cmd and the file type as all types.

Now reboot the server.

Login as the DSRM user and open the accounts.txt
Get the full account domain admin name you have locked out
"CN=ABC Admin,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=abcsbs,DC=local"
and put it into the following dsmod queries in the reset.cmd file.

dsmod user ......... -disabled no
dsmod user ......... -pwd Pa$$w0rd
dsmod user ......... -pwdneverexpires yes

In my case something along these lines

dsmod user "CN=ABC Admin,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=abcsbs,DC=local" -disabled no
dsmod user "CN=ABC Admin,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=abcsbs,DC=local" -pwd Pa$$w0rd  (In my case here, Pa$$w0rd)
dsmod user "CN=ABCC Admin,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=abcsbs,DC=local" -pwdneverexpires yes

Save the reset.cmd file and restart the enableaccount service in services.

Logoff and try logging back into the domain, remember to use your SBS domain name and user account as opposed to the DSRM which may be different.

No comments: