Guest Ageing Brilliantine Stick Insect Posted February 5, 2008 Posted February 5, 2008 I have just come back from 6 weeks leave. While I was gone, users at one of our remote branches started getting 'must change password in xx days' messages (they have their own 1-server domain running W2K3). Being users, all they did was to note down the message, and then ring the help desk the day AFTER xx days had expired! Now all their passwords have expired (apart from 2 users who changed theirs in the required time) and they cannot log onto the domain. The really strange thing is that the passwords for the domain administrator appear to have expired also, as well as the 'back-door' account I set up for myself for just such an occurrence. Their server still runs, and the users all have to log on as 1 of the 2 users who managed to change their passwords, and the enterprise app on their server is still running also........it's just that no-one can now log onto the server console. I am a little concerned as to what is my next move, because if I get it wrong, there may be no way to recover the server......I'm even loathe to reboot it. Anyway......if I start up in safe mode (is that possible on W2K3?) would I then be able to get in to fix up the passwords (or whatever else it is that has gone wrong)? And just by way of interest.....can this actually happen? I mean I am really surprised that the administrator account has been locked out (....I wonder if it has been locked out due to repeated failed logon attempts?).....should this actually happen, or should I start thinking 'virus'?
Guest Pegasus \(MVP\) Posted February 5, 2008 Posted February 5, 2008 Re: Help - administrator locked out! "Ageing Brilliantine Stick Insect" <AgeingBrilliantineStickInsect@discussions.microsoft.com> wrote in message news:4977F0AC-41EF-4F73-A8A2-1237B6ADF2D9@microsoft.com... >I have just come back from 6 weeks leave. While I was gone, users at one of > our remote branches started getting 'must change password in xx days' > messages (they have their own 1-server domain running W2K3). Being users, > all > they did was to note down the message, and then ring the help desk the day > AFTER xx days had expired! Now all their passwords have expired (apart > from 2 > users who changed theirs in the required time) and they cannot log onto > the > domain. The really strange thing is that the passwords for the domain > administrator appear to have expired also, as well as the 'back-door' > account > I set up for myself for just such an occurrence. Their server still runs, > and > the users all have to log on as 1 of the 2 users who managed to change > their > passwords, and the enterprise app on their server is still running > also........it's just that no-one can now log onto the server console. > > I am a little concerned as to what is my next move, because if I get it > wrong, there may be no way to recover the server......I'm even loathe to > reboot it. > > Anyway......if I start up in safe mode (is that possible on W2K3?) would I > then be able to get in to fix up the passwords (or whatever else it is > that > has gone wrong)? > > And just by way of interest.....can this actually happen? I mean I am > really > surprised that the administrator account has been locked out (....I wonder > if > it has been locked out due to repeated failed logon attempts?).....should > this actually happen, or should I start thinking 'virus'? Mmh. In my experience, when a password has expired then the user MUST enter a new password to log on. He is not locked out, as long as he knows the expired password.
Guest Thee Chicago Wolf Posted February 5, 2008 Posted February 5, 2008 Re: Help - administrator locked out! >I have just come back from 6 weeks leave. While I was gone, users at one of >our remote branches started getting 'must change password in xx days' >messages (they have their own 1-server domain running W2K3). Being users, all >they did was to note down the message, and then ring the help desk the day >AFTER xx days had expired! Now all their passwords have expired (apart from 2 >users who changed theirs in the required time) and they cannot log onto the >domain. The really strange thing is that the passwords for the domain >administrator appear to have expired also, as well as the 'back-door' account >I set up for myself for just such an occurrence. Their server still runs, and >the users all have to log on as 1 of the 2 users who managed to change their >passwords, and the enterprise app on their server is still running >also........it's just that no-one can now log onto the server console. > >I am a little concerned as to what is my next move, because if I get it >wrong, there may be no way to recover the server......I'm even loathe to >reboot it. > >Anyway......if I start up in safe mode (is that possible on W2K3?) would I >then be able to get in to fix up the passwords (or whatever else it is that >has gone wrong)? > >And just by way of interest.....can this actually happen? I mean I am really >surprised that the administrator account has been locked out (....I wonder if >it has been locked out due to repeated failed logon attempts?).....should >this actually happen, or should I start thinking 'virus'? Questions like this are so baited it's not even funny. You will not be locked out. If, as a Server Admin, you don't know that, you should not be Administering a server. - Thee Chicago Wolf
Guest Ageing Brilliantine Stick Insect Posted February 5, 2008 Posted February 5, 2008 Re: Help - administrator locked out! OK....sorry - incorrect term. Whenever we try to log on using the administrator account we get a message saying 'the system could not log you on. Make sure your username and domain are correct and type your password again. Letters in passwords must be typed using correct case'. This is happening to ANY account that hadn't changed their password before the expiry date, INCLUDING the administrator account There is NO OPTION to change the password, just the message mentioned above. As mentioned, I was on leave when the first 'you must change your password' messages started coming up, and when I returned from leave I faced the situation I have mentioned. Now I was not actually on this site at any time during the 6 weeks I was off (would kind of be against the point of a holiday, wouldn't it?), so I was unable to see EVERY button EVERY user pressed, so all I can do is assume they are telling me the truth when they say no-one changed the administrator password. I know no-one would have changed the password on my account on that domain, but I get the same error when trying to log on. So, sorry to have caused you so much offence "Thee Chicago Wolf" (is that a spelling error - should it be 'three' or maybe 'the' - who really cares?). If I knew all the answers to the questions I need to ask then there would be no need for places like this, would there? If it is so offensive to to you to find out that people do not have the same encyclopedic knowledge as you apparently believe you have, then why bother hanging around here? And you are absolutely correct about my choice of career - I live in a very small town, I was hired 10 years ago when Windows 95 and Office 97 are all the rage and we had 1 server. We now have 20 servers, 6 remote sites about 400 devices on the network, Office 2003, Exchange Active Directory etc etc. During the time all these systems have been installed I have received exactly zero training from my employer......so what do you suggest I do? Spend 8 hours a day at work, then another 8 at home every night sitting in front of my computer trying to learn all this stuff? Or maybe I should just resign......there aren't any more jobs around here, and my kids would starve.....but at least these forums would be a nicer place for you, wouldn't they? I am prepared to admit my questions may be a bit silly (although a wise man once said that the only silly question is the one that isn't asked), but I thought these forums would be a good place to maybe learn some stuff.....however I am getting sick of every now and then getting some sort of a snide response from people such as wolf-thingy. If my questions are too dumb for you, then don't answer them. Your contribution, wolf-thing, was absolutely pointless. "Thee Chicago Wolf" wrote: > >I have just come back from 6 weeks leave. While I was gone, users at one of > >our remote branches started getting 'must change password in xx days' > >messages (they have their own 1-server domain running W2K3). Being users, all > >they did was to note down the message, and then ring the help desk the day > >AFTER xx days had expired! Now all their passwords have expired (apart from 2 > >users who changed theirs in the required time) and they cannot log onto the > >domain. The really strange thing is that the passwords for the domain > >administrator appear to have expired also, as well as the 'back-door' account > >I set up for myself for just such an occurrence. Their server still runs, and > >the users all have to log on as 1 of the 2 users who managed to change their > >passwords, and the enterprise app on their server is still running > >also........it's just that no-one can now log onto the server console. > > > >I am a little concerned as to what is my next move, because if I get it > >wrong, there may be no way to recover the server......I'm even loathe to > >reboot it. > > > >Anyway......if I start up in safe mode (is that possible on W2K3?) would I > >then be able to get in to fix up the passwords (or whatever else it is that > >has gone wrong)? > > > >And just by way of interest.....can this actually happen? I mean I am really > >surprised that the administrator account has been locked out (....I wonder if > >it has been locked out due to repeated failed logon attempts?).....should > >this actually happen, or should I start thinking 'virus'? > > Questions like this are so baited it's not even funny. You will not be > locked out. If, as a Server Admin, you don't know that, you should not > be Administering a server. > > - Thee Chicago Wolf >
Guest Thee Chicago Wolf Posted February 6, 2008 Posted February 6, 2008 Re: Help - administrator locked out! >So, sorry to have caused you so much offence "Thee Chicago Wolf" (is that a >spelling error - should it be 'three' or maybe 'the' - who really cares?). If >I knew all the answers to the questions I need to ask then there would be no >need for places like this, would there? If it is so offensive to to you to >find out that people do not have the same encyclopedic knowledge as you >apparently believe you have, then why bother hanging around here? And you are >absolutely correct about my choice of career - I live in a very small town, I >was hired 10 years ago when Windows 95 and Office 97 are all the rage and we >had 1 server. We now have 20 servers, 6 remote sites about 400 devices on the >network, Office 2003, Exchange Active Directory etc etc. During the time all >these systems have been installed I have received exactly zero training from >my employer......so what do you suggest I do? Spend 8 hours a day at work, >then another 8 at home every night sitting in front of my computer trying to >learn all this stuff? Or maybe I should just resign......there aren't any >more jobs around here, and my kids would starve.....but at least these forums >would be a nicer place for you, wouldn't they? It's more to do with people coming in to social engineer their way around Administrative passwords to get into systems they ought not be getting into than it is anything so no offense taken and sorry if it was a curt response. It always sets off flags with me when people ask question in the form that you did so I usually err on the side of some 13 year old trying figure out how to break in to something. The Administrator account shouldn't have it's password set to expire for any reason because you can find yourself in this kind of position when a policy is set to expire and, like you, the Admin goes away for a period of time and then whammo, you're locked out and can't get back into your system. Creating a backup account to get in seems to be what you did in your original post but it didn't help. I'm not knocking your career choice but it's your practices that got you into this trouble. You're self taught and haven't had training so this is a byproduct of perhaps not knowing the "Microsoft way of doing things" and their best practices. I don't always agree with them but there they are. If you really want a decent primer on practices and some decent server 2003 reading, check out Mark Minasi's "Mastering Windows Server 2003 Upgrade Edition for SP1 and R2." I assume he'll eventually update it for SP2 but as of recently, that is the current edition. I don't know your environment or who you run your shop but delegating a secondary Administrator to keep an eye on things would have been prudent. We don't always want to give Joe Blow Admin rights but if you set up the policy to have password expiry occur at certain lengths of time, you have only yourself to kick in the butt for that. You live and you learn but you also have to know your environment and have secondary support in your absence. So here's what you can do. Get yourself the Offline NT Password Editor (google search that phrase). It's an zippped archive containing an ISO which you burn and then boot from the CD-Rom (look for cd070927.zip (~3MB)). It's a Linux tool to blank out the Admin password so you can get back in and, for lack of a better phrase, save your ass. I'm telling this to help you as you genuinely seem to have this need but it is a very dangerous tool because of it very nature to let ANYONE break into a system or lock and Admin OUT of a system they have physical access to. That's why I prefer to let people learn that hard way that when you do it to yourself, you've got to suffer the consequences. This tool is not a crutch and should only be used for emergencies such as yours, never to save one's butt from a locked-out account due to a policy setting. Better Administrative practices will keep that from happening. Good luck and let me know how it goes. - Thee Chicago Wolf
Guest Ageing Brilliantine Stick Insect Posted February 6, 2008 Posted February 6, 2008 Re: Help - administrator locked out! Hi Thee Chicago Wolf, Firstly - thanks for your measured response - it would have been pretty easy for you to unload on me (as I did on you), so your restraint is admirable - thanks for that. Second - thanks for your extremely helpful response. Looks like that is probably going to be my only option. Personally I'd rather just leave the darn thing as it is - the enterprise app on the server (DC) is still running, the users can still log on (although they have to do it via a shared logon now), and I really don't want to possibly break things altogether and get stuck with restores etc etc. Thirdly - yes, I am self-taught, but only up to a point. I used to be a real computer head (like about 12-16 hours in front of my PC each day while I was unemployed). I then started working as system support for Win95 and Office97, with 1 Novell server. After a couple of years we changed to a whole bunch of enterprise applications that ran on Windows 2000 server. As I had Windows 2000 on my PC at home, I became designated 'network co-ordinator'....not due to any skills or anything - just because I had Win2K on my PC at home. That was OK at first - I'd do my 8 hours at work, go home, sit in front of my PC until after midnight and try to learn stuff. Eventually I got my MCP on Win2K and Server. Then I had kids...........no longer could I spend 8 hours at home on my PC every night. The other problem I faced is that we have people come in and do all our network and software installing and setup. Once they have everything in, they give us a bill and leave. They are not contracted to provide ongoing support or operational asistance or anything like that - they just install stuff and leave it to us. We get no training or anything like that, we have no test lab. So suddenly we are running Windows 2003, Exchange 2003 and ISA 2006 and SQL Server and various other heavy duty apps. All things that I haven't used previously - all things that the only 'practice lab' I have is live production servers, and people expect me to know what is going on and how to solve problems. I do the best I can using Google and newsgroups, but it's a struggle. Such a struggle, in fact, that I'd really rather not be doing it right now (or at anytime into the future, infact). Most of the time my job involves answering the phone to calls along the lines of 'my pc doesnt work'. 'Is it plugged in?', 'I dont know', so I have to go and plug someone's computer in for them. (This isn't an exaggeration - I had one of these calls yesterday). I don't pretend that I'm some sort of super administrator or anything. As you can tell from my previous post, it would be more accurate to describe me as 'extremely ordinary administrator', or even 'administrator for not much longer'. I agree it's my practices that have got me into trouble in the first place......I need to take a long hard look at both them and myself! Anyway, enough of my troubles. Thanks again for your help. I really do appreciate your response. "Thee Chicago Wolf" wrote: > >So, sorry to have caused you so much offence "Thee Chicago Wolf" (is that a > >spelling error - should it be 'three' or maybe 'the' - who really cares?). If > >I knew all the answers to the questions I need to ask then there would be no > >need for places like this, would there? If it is so offensive to to you to > >find out that people do not have the same encyclopedic knowledge as you > >apparently believe you have, then why bother hanging around here? And you are > >absolutely correct about my choice of career - I live in a very small town, I > >was hired 10 years ago when Windows 95 and Office 97 are all the rage and we > >had 1 server. We now have 20 servers, 6 remote sites about 400 devices on the > >network, Office 2003, Exchange Active Directory etc etc. During the time all > >these systems have been installed I have received exactly zero training from > >my employer......so what do you suggest I do? Spend 8 hours a day at work, > >then another 8 at home every night sitting in front of my computer trying to > >learn all this stuff? Or maybe I should just resign......there aren't any > >more jobs around here, and my kids would starve.....but at least these forums > >would be a nicer place for you, wouldn't they? > > It's more to do with people coming in to social engineer their way > around Administrative passwords to get into systems they ought not be > getting into than it is anything so no offense taken and sorry if it > was a curt response. It always sets off flags with me when people ask > question in the form that you did so I usually err on the side of some > 13 year old trying figure out how to break in to something. > > The Administrator account shouldn't have it's password set to expire > for any reason because you can find yourself in this kind of position > when a policy is set to expire and, like you, the Admin goes away for > a period of time and then whammo, you're locked out and can't get back > into your system. Creating a backup account to get in seems to be what > you did in your original post but it didn't help. > > I'm not knocking your career choice but it's your practices that got > you into this trouble. You're self taught and haven't had training so > this is a byproduct of perhaps not knowing the "Microsoft way of doing > things" and their best practices. I don't always agree with them but > there they are. If you really want a decent primer on practices and > some decent server 2003 reading, check out Mark Minasi's "Mastering > Windows Server 2003 Upgrade Edition for SP1 and R2." I assume he'll > eventually update it for SP2 but as of recently, that is the current > edition. > > I don't know your environment or who you run your shop but delegating > a secondary Administrator to keep an eye on things would have been > prudent. We don't always want to give Joe Blow Admin rights but if you > set up the policy to have password expiry occur at certain lengths of > time, you have only yourself to kick in the butt for that. You live > and you learn but you also have to know your environment and have > secondary support in your absence. > > So here's what you can do. Get yourself the Offline NT Password Editor > (google search that phrase). It's an zippped archive containing an ISO > which you burn and then boot from the CD-Rom (look for cd070927.zip > (~3MB)). It's a Linux tool to blank out the Admin password so you can > get back in and, for lack of a better phrase, save your ass. > > I'm telling this to help you as you genuinely seem to have this need > but it is a very dangerous tool because of it very nature to let > ANYONE break into a system or lock and Admin OUT of a system they have > physical access to. That's why I prefer to let people learn that hard > way that when you do it to yourself, you've got to suffer the > consequences. > > This tool is not a crutch and should only be used for emergencies such > as yours, never to save one's butt from a locked-out account due to a > policy setting. Better Administrative practices will keep that from > happening. Good luck and let me know how it goes. > > - Thee Chicago Wolf >
Guest Ageing Brilliantine Stick Insect Posted February 6, 2008 Posted February 6, 2008 Re: Help - administrator locked out! 1 more question (showing my ignorance here)....I know when a machine is made a DC the local administrator account 'goes away'. When you boot into safe mode, that account is available again, isn't it? If this is the case, I am pretty sure I should be able to remember the local admin password. Also, I didn't actually create any password policies or anything like that. It's just a bog standard W2K3 DC installation. I read somewhere else that normal password policies/restrictions do not apply to administrator accounts, but even if they did, shouldn't all the users, as well as the administrator still be getting the option to change the password, rather than just a 'username/domain is incorrect message'? "Thee Chicago Wolf" wrote: > >So, sorry to have caused you so much offence "Thee Chicago Wolf" (is that a > >spelling error - should it be 'three' or maybe 'the' - who really cares?). If > >I knew all the answers to the questions I need to ask then there would be no > >need for places like this, would there? If it is so offensive to to you to > >find out that people do not have the same encyclopedic knowledge as you > >apparently believe you have, then why bother hanging around here? And you are > >absolutely correct about my choice of career - I live in a very small town, I > >was hired 10 years ago when Windows 95 and Office 97 are all the rage and we > >had 1 server. We now have 20 servers, 6 remote sites about 400 devices on the > >network, Office 2003, Exchange Active Directory etc etc. During the time all > >these systems have been installed I have received exactly zero training from > >my employer......so what do you suggest I do? Spend 8 hours a day at work, > >then another 8 at home every night sitting in front of my computer trying to > >learn all this stuff? Or maybe I should just resign......there aren't any > >more jobs around here, and my kids would starve.....but at least these forums > >would be a nicer place for you, wouldn't they? > > It's more to do with people coming in to social engineer their way > around Administrative passwords to get into systems they ought not be > getting into than it is anything so no offense taken and sorry if it > was a curt response. It always sets off flags with me when people ask > question in the form that you did so I usually err on the side of some > 13 year old trying figure out how to break in to something. > > The Administrator account shouldn't have it's password set to expire > for any reason because you can find yourself in this kind of position > when a policy is set to expire and, like you, the Admin goes away for > a period of time and then whammo, you're locked out and can't get back > into your system. Creating a backup account to get in seems to be what > you did in your original post but it didn't help. > > I'm not knocking your career choice but it's your practices that got > you into this trouble. You're self taught and haven't had training so > this is a byproduct of perhaps not knowing the "Microsoft way of doing > things" and their best practices. I don't always agree with them but > there they are. If you really want a decent primer on practices and > some decent server 2003 reading, check out Mark Minasi's "Mastering > Windows Server 2003 Upgrade Edition for SP1 and R2." I assume he'll > eventually update it for SP2 but as of recently, that is the current > edition. > > I don't know your environment or who you run your shop but delegating > a secondary Administrator to keep an eye on things would have been > prudent. We don't always want to give Joe Blow Admin rights but if you > set up the policy to have password expiry occur at certain lengths of > time, you have only yourself to kick in the butt for that. You live > and you learn but you also have to know your environment and have > secondary support in your absence. > > So here's what you can do. Get yourself the Offline NT Password Editor > (google search that phrase). It's an zippped archive containing an ISO > which you burn and then boot from the CD-Rom (look for cd070927.zip > (~3MB)). It's a Linux tool to blank out the Admin password so you can > get back in and, for lack of a better phrase, save your ass. > > I'm telling this to help you as you genuinely seem to have this need > but it is a very dangerous tool because of it very nature to let > ANYONE break into a system or lock and Admin OUT of a system they have > physical access to. That's why I prefer to let people learn that hard > way that when you do it to yourself, you've got to suffer the > consequences. > > This tool is not a crutch and should only be used for emergencies such > as yours, never to save one's butt from a locked-out account due to a > policy setting. Better Administrative practices will keep that from > happening. Good luck and let me know how it goes. > > - Thee Chicago Wolf >
Guest Thee Chicago Wolf Posted February 7, 2008 Posted February 7, 2008 Re: Help - administrator locked out! >Firstly - thanks for your measured response - it would have been pretty easy >for you to unload on me (as I did on you), so your restraint is admirable - >thanks for that. > >Second - thanks for your extremely helpful response. Looks like that is >probably going to be my only option. Personally I'd rather just leave the >darn thing as it is - the enterprise app on the server (DC) is still running, >the users can still log on (although they have to do it via a shared logon >now), and I really don't want to possibly break things altogether and get >stuck with restores etc etc. No worries. You'll likely have to deal with it at some point soon or make a down-time maintenance day of it. Some day if there's ever a power outage and your UPS runs out of juice and the server reboots anyway, you'll be in an even worse position because now you'll be scrambling to remember what happened when this situation originally happened. >Thirdly - yes, I am self-taught, but only up to a point. I used to be a real >computer head (like about 12-16 hours in front of my PC each day while I was >unemployed). I then started working as system support for Win95 and Office97, >with 1 Novell server. After a couple of years we changed to a whole bunch of >enterprise applications that ran on Windows 2000 server. As I had Windows >2000 on my PC at home, I became designated 'network co-ordinator'....not due >to any skills or anything - just because I had Win2K on my PC at home. That >was OK at first - I'd do my 8 hours at work, go home, sit in front of my PC >until after midnight and try to learn stuff. Eventually I got my MCP on Win2K >and Server. Then I had kids...........no longer could I spend 8 hours at home >on my PC every night. The other problem I faced is that we have people come >in and do all our network and software installing and setup. Once they have >everything in, they give us a bill and leave. They are not contracted to >provide ongoing support or operational asistance or anything like that - they >just install stuff and leave it to us. We get no training or anything like >that, we have no test lab. So suddenly we are running Windows 2003, Exchange >2003 and ISA 2006 and SQL Server and various other heavy duty apps. All >things that I haven't used previously - all things that the only 'practice >lab' I have is live production servers, and people expect me to know what is >going on and how to solve problems. I do the best I can using Google and >newsgroups, but it's a struggle. Such a struggle, in fact, that I'd really >rather not be doing it right now (or at anytime into the future, infact). >Most of the time my job involves answering the phone to calls along the lines >of 'my pc doesnt work'. 'Is it plugged in?', 'I dont know', so I have to go >and plug someone's computer in for them. (This isn't an exaggeration - I had >one of these calls yesterday). There's nothing wrong with being self-taught. I am more or less self taught in terms of client side business but Server side, no. While I'm not an MCSE, I don't deal with the Server side of things at my site. I have two I manage but limited in both scope and breadth. Enough to be dangerous but not too much to screw up the whole AD or wreck the other IT departments setup. I've been to a few Server 2003 classes in the past 5 years and had my first encounters with NT back in the 3.51 days. I started in the late 80s on Novel 3.11 and moved up to a mixed Novell 4.x NT 3.51/NT4 (client) environment. I'm actually going for Server 2008 training soon and have been tooling around with the RC builds sine last year. I like it a lot more than 2003 Server so far and, surprisingly, it's not a resource hog. I'm now taking a foray into the production Kubuntu Linux world but have been a fan of BSD/Linux since the mid-90s. While it's fun to know a lot about lots of OSes and apps, I like to be a bit more specialized. I had a "is it plugged in / turned on?" calls the other day for one of my side-job customers. We'll always have tech guys for the same reason we'll always have mechanics. >I don't pretend that I'm some sort of super administrator or anything. As >you can tell from my previous post, it would be more accurate to describe me >as 'extremely ordinary administrator', or even 'administrator for not much >longer'. I agree it's my practices that have got me into trouble in the first >place......I need to take a long hard look at both them and myself! > >Anyway, enough of my troubles. Thanks again for your help. I really do >appreciate your response. No problem. Do follow up if possible as I like to hear if my advice or recommendations help out. Cheers. - Thee Chicago Wolf
Guest Thee Chicago Wolf Posted February 7, 2008 Posted February 7, 2008 Re: Help - administrator locked out! >1 more question (showing my ignorance here)....I know when a machine is made >a DC the local administrator account 'goes away'. When you boot into safe >mode, that account is available again, isn't it? If this is the case, I am >pretty sure I should be able to remember the local admin password. > >Also, I didn't actually create any password policies or anything like that. >It's just a bog standard W2K3 DC installation. I read somewhere else that >normal password policies/restrictions do not apply to administrator accounts, >but even if they did, shouldn't all the users, as well as the administrator >still be getting the option to change the password, rather than just a >'username/domain is incorrect message'? I believe it becomes a Domain Admin account but someone who's more intimate with that level of expertise could answer accurately. It is part of the tiered hierarchy that was introduced in 2003 server and, I guess, 2000 server for all intents and purposes. Re-ask this specific question outside this conversation as I'm sure someone will respond quick about it. There's always Google! Cheers. - Thee Chicago Wolf
Guest Ageing Brilliantine Stick Insect Posted February 7, 2008 Posted February 7, 2008 Re: Help - administrator locked out! But wait.....there's more! And the reason for my frustrations will become evident. Just to recap, here's the WHOLE story so far. 6 months ago we decided to install a domain controller and a small domain in one of our remote offices. As I mentioned, we normally have a third party do all our server building etc, but as this was a small network(1 server, 5 users) the job was handed to me. In did a bog-standard install of a Windows 2003 DC, created all the users, put the server in, and tested all the user accounts. It was all going swimmingly. The next step was to hand the machine over to ANOTHER 3rd party. They were going to install an enterprise application on the server, on the workstations and train the staff. They had requested an administrator logon to be able to complete this work. As they would need a fair degree of freedom in setting things up, I gave them a domain admin account. They arrived onsite and spent 4 days doing their thing. The day after they had finished I got a call from the users at this site telling me this enterprise app was not working. I went to the site. What I discovered was rather dismaying - the third party had told all the users to forget their normal user accounts that they had been using for a couple of weeks, and they were all now to log on using the domain admin account! Not only that, but he had helpfully put a sticky note on each PC with the password! These are PC's that are in easily-accessible public places. One of them is even attached to a cash drawer! Not only did this third party not consider this any sort of security risk, the manager of this site also considered it a fine practice! So I start investigating why this app wasn't working. It seems the 3rd party had installed the app on the server and 1 PC. He had left no instructions for the people at the site, or for me, so I spent the next hour on the phone finding out how to get ths thing working, and then another couple of hours setting up each workstation. So what does my boss do about this? Maybe not pay their bill? Maybe charge them for the time I spent doing their work? Nope.....nothing.....why should she care - she has a lackey (me) that can waste my time doing that sort of stuff. Anyway, fast forward about 6 months. I'm on holiday. I get a call from the boss. "What's the password on that server?". I tell her. "OK....see you in 3 weeks". 3 weeks later I get to work. The story I get is this : The users at this remote site began getting 'change your password' messages while I was on leave. All but 2 of the users waited until their password had actually reached expiry before letting us know ('us' being my colleagues who weren't on leave), and even then, rather than just changing their passwords they just rang the help desk to say 'we cant get in. we had been getting messages to change our passwords, but we didnt'. Why they didn't is anyone's guess, but there you go. So the boss tells me that not even the administrator can log on (which is right) and can I research the subject and see if I can fix things. She then went away for 2 days. So I started investigating. What I found was this - all the accounts apart from 2 could not log on. My colleagues had actually attended the site, but had not been able to fix the problem. My colleagues had also received detailed instructions from our 3rd party network/hardware people as to how to solve this problem (the old boot into DSR more, install srvany etc etc), but for some reason had not been able to follow these instructions, and also did not feel the need to tell me that they had the info that I had just been told to go and find on the net. Even more frustrating, one of my colleagues apparently had logged on successfully into safe mode (so at least our local admin password still works), but he 'didnt know how he had done it', and 'couldnt remember how to do it again'......but I still hadn't been told this, so at this stage I headed for this forum, and posted my post. So hopefully Wolf, you can see why my frustration boiled over when I read your response. Not only have I been sold an absolute dump by my colleagues, but now people thought I was some sort of script kiddie! To be quite honest it never occurred to me that my post could be construed in that way. Anyway, I'll be off to this site today. Hopefully the local admin password still works and I will be able to get things functioning again.......I'll let you know of success or otherwise. "Thee Chicago Wolf" wrote: > >1 more question (showing my ignorance here)....I know when a machine is made > >a DC the local administrator account 'goes away'. When you boot into safe > >mode, that account is available again, isn't it? If this is the case, I am > >pretty sure I should be able to remember the local admin password. > > > >Also, I didn't actually create any password policies or anything like that. > >It's just a bog standard W2K3 DC installation. I read somewhere else that > >normal password policies/restrictions do not apply to administrator accounts, > >but even if they did, shouldn't all the users, as well as the administrator > >still be getting the option to change the password, rather than just a > >'username/domain is incorrect message'? > > I believe it becomes a Domain Admin account but someone who's more > intimate with that level of expertise could answer accurately. It is > part of the tiered hierarchy that was introduced in 2003 server and, I > guess, 2000 server for all intents and purposes. Re-ask this specific > question outside this conversation as I'm sure someone will respond > quick about it. There's always Google! Cheers. > > - Thee Chicago Wolf >
Guest Thee Chicago Wolf Posted February 8, 2008 Posted February 8, 2008 Re: Help - administrator locked out! >But wait.....there's more! And the reason for my frustrations will become >evident. > >Just to recap, here's the WHOLE story so far. > >6 months ago we decided to install a domain controller and a small domain in >one of our remote offices. As I mentioned, we normally have a third party do >all our server building etc, but as this was a small network(1 server, 5 >users) the job was handed to me. In did a bog-standard install of a Windows >2003 DC, created all the users, put the server in, and tested all the user >accounts. It was all going swimmingly. The next step was to hand the machine >over to ANOTHER 3rd party. They were going to install an enterprise >application on the server, on the workstations and train the staff. They had >requested an administrator logon to be able to complete this work. As they >would need a fair degree of freedom in setting things up, I gave them a >domain admin account. They arrived onsite and spent 4 days doing their thing. > >The day after they had finished I got a call from the users at this site >telling me this enterprise app was not working. I went to the site. What I >discovered was rather dismaying - the third party had told all the users to >forget their normal user accounts that they had been using for a couple of >weeks, and they were all now to log on using the domain admin account! Not >only that, but he had helpfully put a sticky note on each PC with the >password! These are PC's that are in easily-accessible public places. One of >them is even attached to a cash drawer! Not only did this third party not >consider this any sort of security risk, the manager of this site also >considered it a fine practice! > >So I start investigating why this app wasn't working. It seems the 3rd party >had installed the app on the server and 1 PC. He had left no instructions for >the people at the site, or for me, so I spent the next hour on the phone >finding out how to get ths thing working, and then another couple of hours >setting up each workstation. > >So what does my boss do about this? Maybe not pay their bill? Maybe charge >them for the time I spent doing their work? Nope.....nothing.....why should >she care - she has a lackey (me) that can waste my time doing that sort of >stuff. > >Anyway, fast forward about 6 months. I'm on holiday. I get a call from the >boss. "What's the password on that server?". I tell her. "OK....see you in 3 >weeks". 3 weeks later I get to work. The story I get is this : The users at >this remote site began getting 'change your password' messages while I was on >leave. All but 2 of the users waited until their password had actually >reached expiry before letting us know ('us' being my colleagues who weren't >on leave), and even then, rather than just changing their passwords they just >rang the help desk to say 'we cant get in. we had been getting messages to >change our passwords, but we didnt'. Why they didn't is anyone's guess, but >there you go. So the boss tells me that not even the administrator can log on >(which is right) and can I research the subject and see if I can fix things. >She then went away for 2 days. > >So I started investigating. What I found was this - all the accounts apart >from 2 could not log on. My colleagues had actually attended the site, but >had not been able to fix the problem. My colleagues had also received >detailed instructions from our 3rd party network/hardware people as to how to >solve this problem (the old boot into DSR more, install srvany etc etc), but >for some reason had not been able to follow these instructions, and also did >not feel the need to tell me that they had the info that I had just been told >to go and find on the net. Even more frustrating, one of my colleagues >apparently had logged on successfully into safe mode (so at least our local >admin password still works), but he 'didnt know how he had done it', and >'couldnt remember how to do it again'......but I still hadn't been told this, >so at this stage I headed for this forum, and posted my post. > >So hopefully Wolf, you can see why my frustration boiled over when I read >your response. Not only have I been sold an absolute dump by my colleagues, >but now people thought I was some sort of script kiddie! To be quite honest >it never occurred to me that my post could be construed in that way. > >Anyway, I'll be off to this site today. Hopefully the local admin password >still works and I will be able to get things functioning again.......I'll let >you know of success or otherwise. Ah yes, 'tis the life of an IT guy. When things are working great, no one praises you. The second something breaks or doesn't work, your ass is in a sling, never mind it's a vendor or 3rd party that's responsible. That's why I hate IT some times. No worries on the posting. I guess now you can understand why I reacted the way I did. There's always a bunch of 13 year olds at some grammar school trying to break into the systems of their sysadmins. While a lot of MVPs on this and the XP group are more than happy to give ANYONE the aforementioned tool to break the Admin password and "get them back in" to their locked out system, I don't. Anyone worth their IT mettle knows better. Or at least SHOULD know better. The Offline tool is a real enabling tool so I don't like to be an enabler, you know? There's a reason why people make password disks in case of emergency (break glass, ha ha). I can count on my fingers and toes how many times someone comes in with the "I got this laptop from a friend / family member / garage sale/ etc. and I don't know the Admin password, how do I get it or get into the system?" in the XP forum. I always say reformat and set your own password. When a person gets any kind of system, there's no business getting into someone else's stuff. Period. Format and start over like everyone else. It's just a standard practice. Tough luck if you can't get into someone ELSE'S system, you know? Hope the situation improves. Take care. - Thee Chicago Wolf
Guest Ageing Brilliantine Stick Insect Posted February 14, 2008 Posted February 14, 2008 Re: Help - administrator locked out! Update - I went to the site today. What I found was that I STILL didn't have the whole story..........(sigh) It seems that all the users bar 1 changed their passwords in time. That user now keeps getting a 'change password' notification, but they can't change their password because every time they enter their 'old password', it has expired. The administrator account is not getting any password change messages, but none of our usual passwords work, so the administrator just can't log on. I tried booting into Directory Restore Mode (I had been told by one of my colleagues that he had successfully logged on in safe mode), but the local admin passwords do not work either...... Back to the drawing board! "Thee Chicago Wolf" wrote: > >But wait.....there's more! And the reason for my frustrations will become > >evident. > > > >Just to recap, here's the WHOLE story so far. > > > >6 months ago we decided to install a domain controller and a small domain in > >one of our remote offices. As I mentioned, we normally have a third party do > >all our server building etc, but as this was a small network(1 server, 5 > >users) the job was handed to me. In did a bog-standard install of a Windows > >2003 DC, created all the users, put the server in, and tested all the user > >accounts. It was all going swimmingly. The next step was to hand the machine > >over to ANOTHER 3rd party. They were going to install an enterprise > >application on the server, on the workstations and train the staff. They had > >requested an administrator logon to be able to complete this work. As they > >would need a fair degree of freedom in setting things up, I gave them a > >domain admin account. They arrived onsite and spent 4 days doing their thing. > > > >The day after they had finished I got a call from the users at this site > >telling me this enterprise app was not working. I went to the site. What I > >discovered was rather dismaying - the third party had told all the users to > >forget their normal user accounts that they had been using for a couple of > >weeks, and they were all now to log on using the domain admin account! Not > >only that, but he had helpfully put a sticky note on each PC with the > >password! These are PC's that are in easily-accessible public places. One of > >them is even attached to a cash drawer! Not only did this third party not > >consider this any sort of security risk, the manager of this site also > >considered it a fine practice! > > > >So I start investigating why this app wasn't working. It seems the 3rd party > >had installed the app on the server and 1 PC. He had left no instructions for > >the people at the site, or for me, so I spent the next hour on the phone > >finding out how to get ths thing working, and then another couple of hours > >setting up each workstation. > > > >So what does my boss do about this? Maybe not pay their bill? Maybe charge > >them for the time I spent doing their work? Nope.....nothing.....why should > >she care - she has a lackey (me) that can waste my time doing that sort of > >stuff. > > > >Anyway, fast forward about 6 months. I'm on holiday. I get a call from the > >boss. "What's the password on that server?". I tell her. "OK....see you in 3 > >weeks". 3 weeks later I get to work. The story I get is this : The users at > >this remote site began getting 'change your password' messages while I was on > >leave. All but 2 of the users waited until their password had actually > >reached expiry before letting us know ('us' being my colleagues who weren't > >on leave), and even then, rather than just changing their passwords they just > >rang the help desk to say 'we cant get in. we had been getting messages to > >change our passwords, but we didnt'. Why they didn't is anyone's guess, but > >there you go. So the boss tells me that not even the administrator can log on > >(which is right) and can I research the subject and see if I can fix things. > >She then went away for 2 days. > > > >So I started investigating. What I found was this - all the accounts apart > >from 2 could not log on. My colleagues had actually attended the site, but > >had not been able to fix the problem. My colleagues had also received > >detailed instructions from our 3rd party network/hardware people as to how to > >solve this problem (the old boot into DSR more, install srvany etc etc), but > >for some reason had not been able to follow these instructions, and also did > >not feel the need to tell me that they had the info that I had just been told > >to go and find on the net. Even more frustrating, one of my colleagues > >apparently had logged on successfully into safe mode (so at least our local > >admin password still works), but he 'didnt know how he had done it', and > >'couldnt remember how to do it again'......but I still hadn't been told this, > >so at this stage I headed for this forum, and posted my post. > > > >So hopefully Wolf, you can see why my frustration boiled over when I read > >your response. Not only have I been sold an absolute dump by my colleagues, > >but now people thought I was some sort of script kiddie! To be quite honest > >it never occurred to me that my post could be construed in that way. > > > >Anyway, I'll be off to this site today. Hopefully the local admin password > >still works and I will be able to get things functioning again.......I'll let > >you know of success or otherwise. > > Ah yes, 'tis the life of an IT guy. When things are working great, no > one praises you. The second something breaks or doesn't work, your ass > is in a sling, never mind it's a vendor or 3rd party that's > responsible. That's why I hate IT some times. No worries on the > posting. I guess now you can understand why I reacted the way I did. > There's always a bunch of 13 year olds at some grammar school trying > to break into the systems of their sysadmins. While a lot of MVPs on > this and the XP group are more than happy to give ANYONE the > aforementioned tool to break the Admin password and "get them back in" > to their locked out system, I don't. Anyone worth their IT mettle > knows better. Or at least SHOULD know better. The Offline tool is a > real enabling tool so I don't like to be an enabler, you know? There's > a reason why people make password disks in case of emergency (break > glass, ha ha). I can count on my fingers and toes how many times > someone comes in with the "I got this laptop from a friend / family > member / garage sale/ etc. and I don't know the Admin password, how do > I get it or get into the system?" in the XP forum. I always say > reformat and set your own password. When a person gets any kind of > system, there's no business getting into someone else's stuff. Period. > Format and start over like everyone else. It's just a standard > practice. Tough luck if you can't get into someone ELSE'S system, you > know? Hope the situation improves. Take care. > > - Thee Chicago Wolf >
Guest Ageing Brilliantine Stick Insect Posted March 19, 2008 Posted March 19, 2008 Re: Help - administrator locked out! Well....finally the issue has been resolved.......but there is still some mystery involved. Once again I have tried everything in the last week or two, but still could not get into this server. I had my last throw of the dice yesterday, and failed, so I was resigned to having to rebuild the server. So....I rang Company X - the company that installed and supports the enterprise app that runs on this server. I asked them if they could do their thing remotely when I rebuilt the server and how long it would take. They told me it was a quick process that I could probably do myself. They then inquired as to why I was taking this course of action (bear in mind that Company X had been ringing us up since day 1 of this problem to tell us that they could not log on because their password would not work). I explained to them - accounts can't log on, password reset disks do not work, administrator cannot get into server, therefore rebuild is necessary. They then told me that they would 'have a look to see if we have any articles regarding not being able to log on'. Why they would volunteer this info I don't know - they just sell and support 1 Windows app. Anyway, 5 minutes later I get a call .........."Stick Insect", they said "your password on that server is XXXXXX", and lo and behold, it was exactly that! So I logged in, and now everything is fine. I still don't know why the account stopped working, although the (probable) answer is pretty clear. Considering Company X had been unable to log on (just like the administrator) since the beginning, and they had also rung us a couple of times to tell us to notify them when it became possible to log on again, then how were they suddenly able to remotely log on and change the password? It seems that I have been had all along.....someone has changed the password at some stage and forgotten what it was, and then didn't have the gumption to own up to it. Ah...the joys of IT "Ageing Brilliantine Stick Insect" wrote: > Update - I went to the site today. What I found was that I STILL didn't have > the whole story..........(sigh) > > It seems that all the users bar 1 changed their passwords in time. That user > now keeps getting a 'change password' notification, but they can't change > their password because every time they enter their 'old password', it has > expired. The administrator account is not getting any password change > messages, but none of our usual passwords work, so the administrator just > can't log on. > > I tried booting into Directory Restore Mode (I had been told by one of my > colleagues that he had successfully logged on in safe mode), but the local > admin passwords do not work either...... > > Back to the drawing board! > > "Thee Chicago Wolf" wrote: > > > >But wait.....there's more! And the reason for my frustrations will become > > >evident. > > > > > >Just to recap, here's the WHOLE story so far. > > > > > >6 months ago we decided to install a domain controller and a small domain in > > >one of our remote offices. As I mentioned, we normally have a third party do > > >all our server building etc, but as this was a small network(1 server, 5 > > >users) the job was handed to me. In did a bog-standard install of a Windows > > >2003 DC, created all the users, put the server in, and tested all the user > > >accounts. It was all going swimmingly. The next step was to hand the machine > > >over to ANOTHER 3rd party. They were going to install an enterprise > > >application on the server, on the workstations and train the staff. They had > > >requested an administrator logon to be able to complete this work. As they > > >would need a fair degree of freedom in setting things up, I gave them a > > >domain admin account. They arrived onsite and spent 4 days doing their thing. > > > > > >The day after they had finished I got a call from the users at this site > > >telling me this enterprise app was not working. I went to the site. What I > > >discovered was rather dismaying - the third party had told all the users to > > >forget their normal user accounts that they had been using for a couple of > > >weeks, and they were all now to log on using the domain admin account! Not > > >only that, but he had helpfully put a sticky note on each PC with the > > >password! These are PC's that are in easily-accessible public places. One of > > >them is even attached to a cash drawer! Not only did this third party not > > >consider this any sort of security risk, the manager of this site also > > >considered it a fine practice! > > > > > >So I start investigating why this app wasn't working. It seems the 3rd party > > >had installed the app on the server and 1 PC. He had left no instructions for > > >the people at the site, or for me, so I spent the next hour on the phone > > >finding out how to get ths thing working, and then another couple of hours > > >setting up each workstation. > > > > > >So what does my boss do about this? Maybe not pay their bill? Maybe charge > > >them for the time I spent doing their work? Nope.....nothing.....why should > > >she care - she has a lackey (me) that can waste my time doing that sort of > > >stuff. > > > > > >Anyway, fast forward about 6 months. I'm on holiday. I get a call from the > > >boss. "What's the password on that server?". I tell her. "OK....see you in 3 > > >weeks". 3 weeks later I get to work. The story I get is this : The users at > > >this remote site began getting 'change your password' messages while I was on > > >leave. All but 2 of the users waited until their password had actually > > >reached expiry before letting us know ('us' being my colleagues who weren't > > >on leave), and even then, rather than just changing their passwords they just > > >rang the help desk to say 'we cant get in. we had been getting messages to > > >change our passwords, but we didnt'. Why they didn't is anyone's guess, but > > >there you go. So the boss tells me that not even the administrator can log on > > >(which is right) and can I research the subject and see if I can fix things. > > >She then went away for 2 days. > > > > > >So I started investigating. What I found was this - all the accounts apart > > >from 2 could not log on. My colleagues had actually attended the site, but > > >had not been able to fix the problem. My colleagues had also received > > >detailed instructions from our 3rd party network/hardware people as to how to > > >solve this problem (the old boot into DSR more, install srvany etc etc), but > > >for some reason had not been able to follow these instructions, and also did > > >not feel the need to tell me that they had the info that I had just been told > > >to go and find on the net. Even more frustrating, one of my colleagues > > >apparently had logged on successfully into safe mode (so at least our local > > >admin password still works), but he 'didnt know how he had done it', and > > >'couldnt remember how to do it again'......but I still hadn't been told this, > > >so at this stage I headed for this forum, and posted my post. > > > > > >So hopefully Wolf, you can see why my frustration boiled over when I read > > >your response. Not only have I been sold an absolute dump by my colleagues, > > >but now people thought I was some sort of script kiddie! To be quite honest > > >it never occurred to me that my post could be construed in that way. > > > > > >Anyway, I'll be off to this site today. Hopefully the local admin password > > >still works and I will be able to get things functioning again.......I'll let > > >you know of success or otherwise. > > > > Ah yes, 'tis the life of an IT guy. When things are working great, no > > one praises you. The second something breaks or doesn't work, your ass > > is in a sling, never mind it's a vendor or 3rd party that's > > responsible. That's why I hate IT some times. No worries on the > > posting. I guess now you can understand why I reacted the way I did. > > There's always a bunch of 13 year olds at some grammar school trying > > to break into the systems of their sysadmins. While a lot of MVPs on > > this and the XP group are more than happy to give ANYONE the > > aforementioned tool to break the Admin password and "get them back in" > > to their locked out system, I don't. Anyone worth their IT mettle > > knows better. Or at least SHOULD know better. The Offline tool is a > > real enabling tool so I don't like to be an enabler, you know? There's > > a reason why people make password disks in case of emergency (break > > glass, ha ha). I can count on my fingers and toes how many times > > someone comes in with the "I got this laptop from a friend / family > > member / garage sale/ etc. and I don't know the Admin password, how do > > I get it or get into the system?" in the XP forum. I always say > > reformat and set your own password. When a person gets any kind of > > system, there's no business getting into someone else's stuff. Period. > > Format and start over like everyone else. It's just a standard > > practice. Tough luck if you can't get into someone ELSE'S system, you > > know? Hope the situation improves. Take care. > > > > - Thee Chicago Wolf > >
Recommended Posts