HowTo: Reset Win2k3SP2 Active Directory Domain Administrator account password

HowTo: Reset Win2k3SP2 Active Directory Domain Administrator account password

 

 

Reset Win2k3SP2 Active Directory Domain Administrator account password.

You will require the Directory Service Restore Mode password. Use this http://support.microsoft.com/kb/322672 Microsoft Procedure to reset it or use ERD Commanded to reset the password.
.
We create a startup script in local group policy to create a new domain account and add it into domain admin’s group for login.
.
1.Create builddomainadmin.bat, and scripts.ini.
.
builddomainadmin.bat
net user tempadmin Password01! /add /domain
net group "domain admins" tempadmin /add /domain
.
script.ini
 

CmdLine=C:\builddomainadmin.bat
Parameters=

.

2.Copy builddomainadmin.bat to c:\builddomainadmin.bat.
.
This batch file can create a domain account “tempadmin” with password “Password01!”, which belongs to “domain admins” group.
.
3.       Copy script.ini under c:\windows\system32\grouppolicy\machine\scripts\scripts.ini
Note, “grouppolicy” is a hidden folder.
.
4.       Edit file at path: c:\windows\system32\grouppolicy\gpt.ini
.
Here is a Example gpt.ini file ->
.
gtp.ini
gPCFunctionalityVersion=2
gPCMachineExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]
version=10
.
a)        Under entry “gPCFunctionalityVersion=2”, check if there is entry started with “gPCMachineExtensionNames”.
.
If no, add the following entry:
gPCMachineExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]
.
If yes, append “[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]” at the end of existing extensions, such as
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]
.
b)        Under “gPCMachineExtensionNames”, check if there is entry named “version=xxxxx”.
.
If there is entry named “version=xxxxx”, then increase the version number by 10.
.
If there is no entry named “version=xxxxx”, then manually create this entry “version=10”.
.
A tip here is that you can create a startup script in local group policy on a test machine, then compare the auto-generated gpt.ini file with our manually created one.
.
5.       Restart DC into normal mode, try to login with domain account “tempadmin” and password “Password01!”.
.
If you are able to login, please reset your original domain admin’s password, then use original domain admin to login, and delete this tempadmin account.
.
Advertisements