Help - administrator locked out!

February 5, 2008

I have just come back from 6 weeks leave. While I was gone, users at one of

our remote branches started getting 'must change password in xx days'

messages (they have their own 1-server domain running W2K3). Being users, all

they did was to note down the message, and then ring the help desk the day

AFTER xx days had expired! Now all their passwords have expired (apart from 2

users who changed theirs in the required time) and they cannot log onto the

domain. The really strange thing is that the passwords for the domain

administrator appear to have expired also, as well as the 'back-door' account

I set up for myself for just such an occurrence. Their server still runs, and

the users all have to log on as 1 of the 2 users who managed to change their

passwords, and the enterprise app on their server is still running

also........it's just that no-one can now log onto the server console.

I am a little concerned as to what is my next move, because if I get it

wrong, there may be no way to recover the server......I'm even loathe to

reboot it.

Anyway......if I start up in safe mode (is that possible on W2K3?) would I

then be able to get in to fix up the passwords (or whatever else it is that

has gone wrong)?

And just by way of interest.....can this actually happen? I mean I am really

surprised that the administrator account has been locked out (....I wonder if

it has been locked out due to repeated failed logon attempts?).....should

this actually happen, or should I start thinking 'virus'?

February 5, 2008

Re: Help - administrator locked out!

"Ageing Brilliantine Stick Insect"

<AgeingBrilliantineStickInsect@discussions.microsoft.com> wrote in message

news:4977F0AC-41EF-4F73-A8A2-1237B6ADF2D9@microsoft.com...

>I have just come back from 6 weeks leave. While I was gone, users at one of

> our remote branches started getting 'must change password in xx days'

> messages (they have their own 1-server domain running W2K3). Being users,

> all

> they did was to note down the message, and then ring the help desk the day

> AFTER xx days had expired! Now all their passwords have expired (apart

> from 2

> users who changed theirs in the required time) and they cannot log onto

> the

> domain. The really strange thing is that the passwords for the domain

> administrator appear to have expired also, as well as the 'back-door'

> account

> I set up for myself for just such an occurrence. Their server still runs,

> and

> the users all have to log on as 1 of the 2 users who managed to change

> their

> passwords, and the enterprise app on their server is still running

> also........it's just that no-one can now log onto the server console.

>

> I am a little concerned as to what is my next move, because if I get it

> wrong, there may be no way to recover the server......I'm even loathe to

> reboot it.

>

> Anyway......if I start up in safe mode (is that possible on W2K3?) would I

> then be able to get in to fix up the passwords (or whatever else it is

> that

> has gone wrong)?

>

> And just by way of interest.....can this actually happen? I mean I am

> really

> surprised that the administrator account has been locked out (....I wonder

> if

> it has been locked out due to repeated failed logon attempts?).....should

> this actually happen, or should I start thinking 'virus'?

Mmh. In my experience, when a password has expired then

the user MUST enter a new password to log on. He is not

locked out, as long as he knows the expired password.

February 5, 2008

Re: Help - administrator locked out!

>I have just come back from 6 weeks leave. While I was gone, users at one of

>our remote branches started getting 'must change password in xx days'

>messages (they have their own 1-server domain running W2K3). Being users, all

>they did was to note down the message, and then ring the help desk the day

>AFTER xx days had expired! Now all their passwords have expired (apart from 2

>users who changed theirs in the required time) and they cannot log onto the

>domain. The really strange thing is that the passwords for the domain

>administrator appear to have expired also, as well as the 'back-door' account

>I set up for myself for just such an occurrence. Their server still runs, and

>the users all have to log on as 1 of the 2 users who managed to change their

>passwords, and the enterprise app on their server is still running

>also........it's just that no-one can now log onto the server console.

>

>I am a little concerned as to what is my next move, because if I get it

>wrong, there may be no way to recover the server......I'm even loathe to

>reboot it.

>

>Anyway......if I start up in safe mode (is that possible on W2K3?) would I

>then be able to get in to fix up the passwords (or whatever else it is that

>has gone wrong)?

>

>And just by way of interest.....can this actually happen? I mean I am really

>surprised that the administrator account has been locked out (....I wonder if

>it has been locked out due to repeated failed logon attempts?).....should

>this actually happen, or should I start thinking 'virus'?

Questions like this are so baited it's not even funny. You will not be

locked out. If, as a Server Admin, you don't know that, you should not

be Administering a server.

- Thee Chicago Wolf

February 5, 2008

Re: Help - administrator locked out!

OK....sorry - incorrect term. Whenever we try to log on using the

administrator account we get a message saying 'the system could not log you

on. Make sure your username and domain are correct and type your password

again. Letters in passwords must be typed using correct case'. This is

happening to ANY account that hadn't changed their password before the expiry

date, INCLUDING the administrator account There is NO OPTION to change the

password, just the message mentioned above.

As mentioned, I was on leave when the first 'you must change your password'

messages started coming up, and when I returned from leave I faced the

situation I have mentioned. Now I was not actually on this site at any time

during the 6 weeks I was off (would kind of be against the point of a

holiday, wouldn't it?), so I was unable to see EVERY button EVERY user

pressed, so all I can do is assume they are telling me the truth when they

say no-one changed the administrator password. I know no-one would have

changed the password on my account on that domain, but I get the same error

when trying to log on.

So, sorry to have caused you so much offence "Thee Chicago Wolf" (is that a

spelling error - should it be 'three' or maybe 'the' - who really cares?). If

I knew all the answers to the questions I need to ask then there would be no

need for places like this, would there? If it is so offensive to to you to

find out that people do not have the same encyclopedic knowledge as you

apparently believe you have, then why bother hanging around here? And you are

absolutely correct about my choice of career - I live in a very small town, I

was hired 10 years ago when Windows 95 and Office 97 are all the rage and we

had 1 server. We now have 20 servers, 6 remote sites about 400 devices on the

network, Office 2003, Exchange Active Directory etc etc. During the time all

these systems have been installed I have received exactly zero training from

my employer......so what do you suggest I do? Spend 8 hours a day at work,

then another 8 at home every night sitting in front of my computer trying to

learn all this stuff? Or maybe I should just resign......there aren't any

more jobs around here, and my kids would starve.....but at least these forums

would be a nicer place for you, wouldn't they?

I am prepared to admit my questions may be a bit silly (although a wise man

once said that the only silly question is the one that isn't asked), but I

thought these forums would be a good place to maybe learn some

stuff.....however I am getting sick of every now and then getting some sort

of a snide response from people such as wolf-thingy. If my questions are too

dumb for you, then don't answer them. Your contribution, wolf-thing, was

absolutely pointless.

"Thee Chicago Wolf" wrote:

> >I have just come back from 6 weeks leave. While I was gone, users at one of

> >our remote branches started getting 'must change password in xx days'

> >messages (they have their own 1-server domain running W2K3). Being users, all

> >they did was to note down the message, and then ring the help desk the day

> >AFTER xx days had expired! Now all their passwords have expired (apart from 2

> >users who changed theirs in the required time) and they cannot log onto the

> >domain. The really strange thing is that the passwords for the domain

> >administrator appear to have expired also, as well as the 'back-door' account

> >I set up for myself for just such an occurrence. Their server still runs, and

> >the users all have to log on as 1 of the 2 users who managed to change their

> >passwords, and the enterprise app on their server is still running

> >also........it's just that no-one can now log onto the server console.

> >

> >I am a little concerned as to what is my next move, because if I get it

> >wrong, there may be no way to recover the server......I'm even loathe to

> >reboot it.

> >

> >Anyway......if I start up in safe mode (is that possible on W2K3?) would I

> >then be able to get in to fix up the passwords (or whatever else it is that

> >has gone wrong)?

> >

> >And just by way of interest.....can this actually happen? I mean I am really

> >surprised that the administrator account has been locked out (....I wonder if

> >it has been locked out due to repeated failed logon attempts?).....should

> >this actually happen, or should I start thinking 'virus'?

>

> Questions like this are so baited it's not even funny. You will not be

> locked out. If, as a Server Admin, you don't know that, you should not

> be Administering a server.

>

> - Thee Chicago Wolf

>

February 6, 2008

Re: Help - administrator locked out!

>So, sorry to have caused you so much offence "Thee Chicago Wolf" (is that a

>spelling error - should it be 'three' or maybe 'the' - who really cares?). If

>I knew all the answers to the questions I need to ask then there would be no

>need for places like this, would there? If it is so offensive to to you to

>find out that people do not have the same encyclopedic knowledge as you

>apparently believe you have, then why bother hanging around here? And you are

>absolutely correct about my choice of career - I live in a very small town, I

>was hired 10 years ago when Windows 95 and Office 97 are all the rage and we

>had 1 server. We now have 20 servers, 6 remote sites about 400 devices on the

>network, Office 2003, Exchange Active Directory etc etc. During the time all

>these systems have been installed I have received exactly zero training from

>my employer......so what do you suggest I do? Spend 8 hours a day at work,

>then another 8 at home every night sitting in front of my computer trying to

>learn all this stuff? Or maybe I should just resign......there aren't any

>more jobs around here, and my kids would starve.....but at least these forums

>would be a nicer place for you, wouldn't they?

It's more to do with people coming in to social engineer their way

around Administrative passwords to get into systems they ought not be

getting into than it is anything so no offense taken and sorry if it

was a curt response. It always sets off flags with me when people ask

question in the form that you did so I usually err on the side of some

13 year old trying figure out how to break in to something.

The Administrator account shouldn't have it's password set to expire

for any reason because you can find yourself in this kind of position

when a policy is set to expire and, like you, the Admin goes away for

a period of time and then whammo, you're locked out and can't get back

into your system. Creating a backup account to get in seems to be what

you did in your original post but it didn't help.

I'm not knocking your career choice but it's your practices that got

you into this trouble. You're self taught and haven't had training so

this is a byproduct of perhaps not knowing the "Microsoft way of doing

things" and their best practices. I don't always agree with them but

there they are. If you really want a decent primer on practices and

some decent server 2003 reading, check out Mark Minasi's "Mastering

Windows Server 2003 Upgrade Edition for SP1 and R2." I assume he'll

eventually update it for SP2 but as of recently, that is the current

edition.

I don't know your environment or who you run your shop but delegating

a secondary Administrator to keep an eye on things would have been

prudent. We don't always want to give Joe Blow Admin rights but if you

set up the policy to have password expiry occur at certain lengths of

time, you have only yourself to kick in the butt for that. You live

and you learn but you also have to know your environment and have

secondary support in your absence.

So here's what you can do. Get yourself the Offline NT Password Editor

(google search that phrase). It's an zippped archive containing an ISO

which you burn and then boot from the CD-Rom (look for cd070927.zip

(~3MB)). It's a Linux tool to blank out the Admin password so you can

get back in and, for lack of a better phrase, save your ass.

I'm telling this to help you as you genuinely seem to have this need

but it is a very dangerous tool because of it very nature to let

ANYONE break into a system or lock and Admin OUT of a system they have

physical access to. That's why I prefer to let people learn that hard

way that when you do it to yourself, you've got to suffer the

consequences.

This tool is not a crutch and should only be used for emergencies such

as yours, never to save one's butt from a locked-out account due to a

policy setting. Better Administrative practices will keep that from

happening. Good luck and let me know how it goes.

- Thee Chicago Wolf

February 6, 2008

Re: Help - administrator locked out!

Hi Thee Chicago Wolf,

Firstly - thanks for your measured response - it would have been pretty easy

for you to unload on me (as I did on you), so your restraint is admirable -

thanks for that.

Second - thanks for your extremely helpful response. Looks like that is

probably going to be my only option. Personally I'd rather just leave the

darn thing as it is - the enterprise app on the server (DC) is still running,

the users can still log on (although they have to do it via a shared logon

now), and I really don't want to possibly break things altogether and get

stuck with restores etc etc.

Thirdly - yes, I am self-taught, but only up to a point. I used to be a real

computer head (like about 12-16 hours in front of my PC each day while I was

unemployed). I then started working as system support for Win95 and Office97,

with 1 Novell server. After a couple of years we changed to a whole bunch of

enterprise applications that ran on Windows 2000 server. As I had Windows

2000 on my PC at home, I became designated 'network co-ordinator'....not due

to any skills or anything - just because I had Win2K on my PC at home. That

was OK at first - I'd do my 8 hours at work, go home, sit in front of my PC

until after midnight and try to learn stuff. Eventually I got my MCP on Win2K

and Server. Then I had kids...........no longer could I spend 8 hours at home

on my PC every night. The other problem I faced is that we have people come

in and do all our network and software installing and setup. Once they have

everything in, they give us a bill and leave. They are not contracted to

provide ongoing support or operational asistance or anything like that - they

just install stuff and leave it to us. We get no training or anything like

that, we have no test lab. So suddenly we are running Windows 2003, Exchange

2003 and ISA 2006 and SQL Server and various other heavy duty apps. All

things that I haven't used previously - all things that the only 'practice

lab' I have is live production servers, and people expect me to know what is

going on and how to solve problems. I do the best I can using Google and

newsgroups, but it's a struggle. Such a struggle, in fact, that I'd really

rather not be doing it right now (or at anytime into the future, infact).

Most of the time my job involves answering the phone to calls along the lines

of 'my pc doesnt work'. 'Is it plugged in?', 'I dont know', so I have to go

and plug someone's computer in for them. (This isn't an exaggeration - I had

one of these calls yesterday).

I don't pretend that I'm some sort of super administrator or anything. As

you can tell from my previous post, it would be more accurate to describe me

as 'extremely ordinary administrator', or even 'administrator for not much

longer'. I agree it's my practices that have got me into trouble in the first

place......I need to take a long hard look at both them and myself!

Anyway, enough of my troubles. Thanks again for your help. I really do

appreciate your response.

"Thee Chicago Wolf" wrote:

> >So, sorry to have caused you so much offence "Thee Chicago Wolf" (is that a

> >spelling error - should it be 'three' or maybe 'the' - who really cares?). If

> >I knew all the answers to the questions I need to ask then there would be no

> >need for places like this, would there? If it is so offensive to to you to

> >find out that people do not have the same encyclopedic knowledge as you

> >apparently believe you have, then why bother hanging around here? And you are

> >absolutely correct about my choice of career - I live in a very small town, I

> >was hired 10 years ago when Windows 95 and Office 97 are all the rage and we

> >had 1 server. We now have 20 servers, 6 remote sites about 400 devices on the

> >network, Office 2003, Exchange Active Directory etc etc. During the time all

> >these systems have been installed I have received exactly zero training from

> >my employer......so what do you suggest I do? Spend 8 hours a day at work,

> >then another 8 at home every night sitting in front of my computer trying to

> >learn all this stuff? Or maybe I should just resign......there aren't any

> >more jobs around here, and my kids would starve.....but at least these forums

> >would be a nicer place for you, wouldn't they?

>

> It's more to do with people coming in to social engineer their way

> around Administrative passwords to get into systems they ought not be

> getting into than it is anything so no offense taken and sorry if it

> was a curt response. It always sets off flags with me when people ask

> question in the form that you did so I usually err on the side of some

> 13 year old trying figure out how to break in to something.

>

> The Administrator account shouldn't have it's password set to expire

> for any reason because you can find yourself in this kind of position

> when a policy is set to expire and, like you, the Admin goes away for

> a period of time and then whammo, you're locked out and can't get back

> into your system. Creating a backup account to get in seems to be what

> you did in your original post but it didn't help.

>

> I'm not knocking your career choice but it's your practices that got

> you into this trouble. You're self taught and haven't had training so

> this is a byproduct of perhaps not knowing the "Microsoft way of doing

> things" and their best practices. I don't always agree with them but

> there they are. If you really want a decent primer on practices and

> some decent server 2003 reading, check out Mark Minasi's "Mastering

> Windows Server 2003 Upgrade Edition for SP1 and R2." I assume he'll

> eventually update it for SP2 but as of recently, that is the current

> edition.

>

> I don't know your environment or who you run your shop but delegating

> a secondary Administrator to keep an eye on things would have been

> prudent. We don't always want to give Joe Blow Admin rights but if you

> set up the policy to have password expiry occur at certain lengths of

> time, you have only yourself to kick in the butt for that. You live

> and you learn but you also have to know your environment and have

> secondary support in your absence.

>

> So here's what you can do. Get yourself the Offline NT Password Editor

> (google search that phrase). It's an zippped archive containing an ISO

> which you burn and then boot from the CD-Rom (look for cd070927.zip

> (~3MB)). It's a Linux tool to blank out the Admin password so you can

> get back in and, for lack of a better phrase, save your ass.

>

> I'm telling this to help you as you genuinely seem to have this need

> but it is a very dangerous tool because of it very nature to let

> ANYONE break into a system or lock and Admin OUT of a system they have

> physical access to. That's why I prefer to let people learn that hard

> way that when you do it to yourself, you've got to suffer the

> consequences.

>

> This tool is not a crutch and should only be used for emergencies such

> as yours, never to save one's butt from a locked-out account due to a

> policy setting. Better Administrative practices will keep that from

> happening. Good luck and let me know how it goes.

>

> - Thee Chicago Wolf

>

February 6, 2008

Re: Help - administrator locked out!

1 more question (showing my ignorance here)....I know when a machine is made

a DC the local administrator account 'goes away'. When you boot into safe

mode, that account is available again, isn't it? If this is the case, I am

pretty sure I should be able to remember the local admin password.

Also, I didn't actually create any password policies or anything like that.

It's just a bog standard W2K3 DC installation. I read somewhere else that

normal password policies/restrictions do not apply to administrator accounts,

but even if they did, shouldn't all the users, as well as the administrator

still be getting the option to change the password, rather than just a

'username/domain is incorrect message'?