Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] lock out of the AD
Prev Next
You are not authorized to post a reply.

Page 1 of 3123 > >>
AuthorMessages
aranda_aUser is Offline

Posts:29

01/08/2009 5:06 PM  
I inadvertently disabled the only AD administrator account that I have the
password to. Is there a way to re-enable it.


GilUser is Offline

Posts:315

01/08/2009 5:08 PM  
What version of Windows on the DC?

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD

I inadvertently disabled the only AD administrator account that I have the password to. Is there a way to re-enable it.

aranda_aUser is Offline

Posts:29

01/08/2009 5:12 PM  
2k3 enterprise





_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



What version of Windows on the DC?



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD



I inadvertently disabled the only AD administrator account that I have the
password to. Is there a way to re-enable it.


GilUser is Offline

Posts:315

01/08/2009 5:18 PM  
Is there an account you can use to log into the DC, e.g. a backup operator or some such? If so, you can run the AT command to run ADUC under the local system account.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

2k3 enterprise


________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

What version of Windows on the DC?

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD

I inadvertently disabled the only AD administrator account that I have the password to. Is there a way to re-enable it.

aranda_aUser is Offline

Posts:29

01/08/2009 5:29 PM  
Isn't the local system account local and thus not able to run the ADUC? Can
you send me the syntax command for AT?



_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Is there an account you can use to log into the DC, e.g. a backup operator
or some such? If so, you can run the AT command to run ADUC under the local
system account.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



2k3 enterprise





_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



What version of Windows on the DC?



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD



I inadvertently disabled the only AD administrator account that I have the
password to. Is there a way to re-enable it.


CrawfordSUser is Offline

Posts:129

01/08/2009 5:33 PM  
DCs don't use the local SAM.



The command you want is:

At hh:mm /interactive cmd



That will give you a cmd session from which to launch anything you want,
including aduc.msc. hh:mm needs to be in 24 hour format.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Isn't the local system account local and thus not able to run the ADUC?
Can you send me the syntax command for AT?



________________________________

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Is there an account you can use to log into the DC, e.g. a backup
operator or some such? If so, you can run the AT command to run ADUC
under the local system account.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



2k3 enterprise





________________________________

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



What version of Windows on the DC?



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD



I inadvertently disabled the only AD administrator account that I have
the password to. Is there a way to re-enable it.


NilsKUser is Offline

Posts:105

01/08/2009 5:37 PM  
That would imply that the locked account was not the only AD admin that
he had the password for but there was still the DSRM admin account
accessible to him. Well, maybe.


Paul Bergson (ALLETE) schrieb:
>
> Could do an authoritative restore on that account.
>
>
>
> Thanks
>
>
>
> Paul
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Antonio Aranda
> *Sent:* Thursday, January 08, 2009 4:01 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] lock out of the AD
>
>
>
> I inadvertently disabled the only AD administrator account that I have
> the password to. Is there a way to re-enable it.
>

--
www.kaczenski.de <http://www.kaczenski.de>
MVP Windows Server: Directory Services
Auf nach Cappuccino: Das neue Buch meiner Frau!
<http://www.stephanie-schneider.de/die-buecher/auf-nach-cappuccino/>
www.faq-o-matic.net <http://www.faq-o-matic.net>: Die technische Community
MVP-Profil: https://mvp.support.microsoft.com/profile/Nils.Kaczenski

NilsKUser is Offline

Posts:105

01/08/2009 5:51 PM  
AFAIR the Local System account on a DC has full privilege on AD as it is
a DC-local resource. The same is true of the local Administrators group.
So I'd give it a try.


Antonio Aranda schrieb:
>
> Isn't the local system account local and thus not able to run the
> ADUC? Can you send me the syntax command for AT?
>
>
>
> ------------------------------------------------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gil Kirkpatrick
> *Sent:* Thursday, January 08, 2009 4:14 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] lock out of the AD
>
>
>
> Is there an account you can use to log into the DC, e.g. a backup
> operator or some such? If so, you can run the AT command to run ADUC
> under the local system account.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Antonio Aranda
> *Sent:* Thursday, January 08, 2009 3:08 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] lock out of the AD
>
>
>
> 2k3 enterprise
>
>
>
>
>
> ------------------------------------------------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gil Kirkpatrick
> *Sent:* Thursday, January 08, 2009 4:03 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] lock out of the AD
>
>
>
> What version of Windows on the DC?
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Antonio Aranda
> *Sent:* Thursday, January 08, 2009 3:01 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] lock out of the AD
>
>
>
> I inadvertently disabled the only AD administrator account that I have
> the password to. Is there a way to re-enable it.
>

--
www.kaczenski.de <http://www.kaczenski.de>
MVP Windows Server: Directory Services
Auf nach Cappuccino: Das neue Buch meiner Frau!
<http://www.stephanie-schneider.de/die-buecher/auf-nach-cappuccino/>
www.faq-o-matic.net <http://www.faq-o-matic.net>: Die technische Community
MVP-Profil: https://mvp.support.microsoft.com/profile/Nils.Kaczenski

aranda_aUser is Offline

Posts:29

01/08/2009 5:53 PM  
We don't have any account that can logon to the DC servers other then the
administrator which is disabled.



_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, January 08, 2009 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



DCs don't use the local SAM.



The command you want is:

At hh:mm /interactive cmd



That will give you a cmd session from which to launch anything you want,
including aduc.msc. hh:mm needs to be in 24 hour format.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Isn't the local system account local and thus not able to run the ADUC? Can
you send me the syntax command for AT?



_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Is there an account you can use to log into the DC, e.g. a backup operator
or some such? If so, you can run the AT command to run ADUC under the local
system account.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



2k3 enterprise





_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



What version of Windows on the DC?



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD



I inadvertently disabled the only AD administrator account that I have the
password to. Is there a way to re-enable it.


GilUser is Offline

Posts:315

01/08/2009 5:59 PM  
DOH!

If you have the DSRM credentials, you could auth restore the account from a backup.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

We don't have any account that can logon to the DC servers other then the administrator which is disabled.

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, January 08, 2009 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

DCs don't use the local SAM.

The command you want is:
At hh:mm /interactive cmd

That will give you a cmd session from which to launch anything you want, including aduc.msc. hh:mm needs to be in 24 hour format.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Isn't the local system account local and thus not able to run the ADUC? Can you send me the syntax command for AT?

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Is there an account you can use to log into the DC, e.g. a backup operator or some such? If so, you can run the AT command to run ADUC under the local system account.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

2k3 enterprise


________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

What version of Windows on the DC?

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD

I inadvertently disabled the only AD administrator account that I have the password to. Is there a way to re-enable it.

colemancraig1User is Offline

Posts:51

01/08/2009 6:01 PM  
Do you have the Directory Services Restore Mode user and password?

If you can log in then you could schedule a task\script or a runonce to re-enable the account once you reboot.

I.e.... "dsget user <dn> -disabled no"


From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 5:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

We don't have any account that can logon to the DC servers other then the administrator which is disabled.

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, January 08, 2009 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

DCs don't use the local SAM.

The command you want is:
At hh:mm /interactive cmd

That will give you a cmd session from which to launch anything you want, including aduc.msc. hh:mm needs to be in 24 hour format.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Isn't the local system account local and thus not able to run the ADUC? Can you send me the syntax command for AT?

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Is there an account you can use to log into the DC, e.g. a backup operator or some such? If so, you can run the AT command to run ADUC under the local system account.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

2k3 enterprise


________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

What version of Windows on the DC?

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD

I inadvertently disabled the only AD administrator account that I have the password to. Is there a way to re-enable it.

aranda_aUser is Offline

Posts:29

01/08/2009 6:09 PM  
We don't have that capability. Is there any other way?





_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Craig, Coleman
Sent: Thursday, January 08, 2009 4:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Do you have the Directory Services Restore Mode user and password?



If you can log in then you could schedule a task\script or a runonce to
re-enable the account once you reboot.



I.e.. "dsget user <dn> -disabled no"





From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 5:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



We don't have any account that can logon to the DC servers other then the
administrator which is disabled.



_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, January 08, 2009 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



DCs don't use the local SAM.



The command you want is:

At hh:mm /interactive cmd



That will give you a cmd session from which to launch anything you want,
including aduc.msc. hh:mm needs to be in 24 hour format.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Isn't the local system account local and thus not able to run the ADUC? Can
you send me the syntax command for AT?



_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Is there an account you can use to log into the DC, e.g. a backup operator
or some such? If so, you can run the AT command to run ADUC under the local
system account.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



2k3 enterprise





_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



What version of Windows on the DC?



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD



I inadvertently disabled the only AD administrator account that I have the
password to. Is there a way to re-enable it.


colemancraig1User is Offline

Posts:51

01/08/2009 6:17 PM  
Ouch.

Not unless you have another DA or Admin account, or an account that can launch a scheduled task as SYSTEM on a DC.

As per the other user's suggestion of doing a Authoritative Restore you will need the DSRM user and pwd.

I don't suppose this is a child domain and you can contact your EA....


From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 6:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

We don't have that capability. Is there any other way?


________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Craig, Coleman
Sent: Thursday, January 08, 2009 4:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Do you have the Directory Services Restore Mode user and password?

If you can log in then you could schedule a task\script or a runonce to re-enable the account once you reboot.

I.e.... "dsget user <dn> -disabled no"


From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 5:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

We don't have any account that can logon to the DC servers other then the administrator which is disabled.

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, January 08, 2009 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

DCs don't use the local SAM.

The command you want is:
At hh:mm /interactive cmd

That will give you a cmd session from which to launch anything you want, including aduc.msc. hh:mm needs to be in 24 hour format.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Isn't the local system account local and thus not able to run the ADUC? Can you send me the syntax command for AT?

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Is there an account you can use to log into the DC, e.g. a backup operator or some such? If so, you can run the AT command to run ADUC under the local system account.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

2k3 enterprise


________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

What version of Windows on the DC?

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD

I inadvertently disabled the only AD administrator account that I have the password to. Is there a way to re-enable it.

GilUser is Offline

Posts:315

01/08/2009 6:21 PM  
Is there a scheme where you can mount the drive in a different box and run l0phtcrack (or equiv) to find the DSRM password? I thought I heard about someone doing that once.

But really, if you don't have a way to restore your DC from backup, you shot yourself in the foot a long time ago. :(

-g

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

We don't have that capability. Is there any other way?


________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Craig, Coleman
Sent: Thursday, January 08, 2009 4:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Do you have the Directory Services Restore Mode user and password?

If you can log in then you could schedule a task\script or a runonce to re-enable the account once you reboot.

I.e.... "dsget user <dn> -disabled no"


From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 5:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

We don't have any account that can logon to the DC servers other then the administrator which is disabled.

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, January 08, 2009 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

DCs don't use the local SAM.

The command you want is:
At hh:mm /interactive cmd

That will give you a cmd session from which to launch anything you want, including aduc.msc. hh:mm needs to be in 24 hour format.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Isn't the local system account local and thus not able to run the ADUC? Can you send me the syntax command for AT?

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Is there an account you can use to log into the DC, e.g. a backup operator or some such? If so, you can run the AT command to run ADUC under the local system account.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

2k3 enterprise


________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

What version of Windows on the DC?

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD

I inadvertently disabled the only AD administrator account that I have the password to. Is there a way to re-enable it.

michael1User is Offline

Posts:438

01/08/2009 6:26 PM  
You can run the pnordahl tool (google it) to reset the dsrm password to
null. That's the way I would go at this point.



Regards,



Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP

My blog: http://TheEssentialExchange.com/blogs/michael

I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 6:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Is there a scheme where you can mount the drive in a different box and run
l0phtcrack (or equiv) to find the DSRM password? I thought I heard about
someone doing that once.



But really, if you don't have a way to restore your DC from backup, you shot
yourself in the foot a long time ago. L



-g



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



We don't have that capability. Is there any other way?





_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Craig, Coleman
Sent: Thursday, January 08, 2009 4:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Do you have the Directory Services Restore Mode user and password?



If you can log in then you could schedule a task\script or a runonce to
re-enable the account once you reboot.



I.e.. "dsget user <dn> -disabled no"





From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 5:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



We don't have any account that can logon to the DC servers other then the
administrator which is disabled.



_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, January 08, 2009 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



DCs don't use the local SAM.



The command you want is:

At hh:mm /interactive cmd



That will give you a cmd session from which to launch anything you want,
including aduc.msc. hh:mm needs to be in 24 hour format.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Isn't the local system account local and thus not able to run the ADUC? Can
you send me the syntax command for AT?



_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Is there an account you can use to log into the DC, e.g. a backup operator
or some such? If so, you can run the AT command to run ADUC under the local
system account.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



2k3 enterprise





_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



What version of Windows on the DC?



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD



I inadvertently disabled the only AD administrator account that I have the
password to. Is there a way to re-enable it.


colemancraig1User is Offline

Posts:51

01/08/2009 6:28 PM  
I am not trying to pile on but we don't disable our domain built-in Administrator account. We just limit him to a local logon (DC's are locked in the datacenter) and require a two-factor auth.


From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 6:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Is there a scheme where you can mount the drive in a different box and run l0phtcrack (or equiv) to find the DSRM password? I thought I heard about someone doing that once.

But really, if you don't have a way to restore your DC from backup, you shot yourself in the foot a long time ago. :(

-g

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

We don't have that capability. Is there any other way?


________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Craig, Coleman
Sent: Thursday, January 08, 2009 4:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Do you have the Directory Services Restore Mode user and password?

If you can log in then you could schedule a task\script or a runonce to re-enable the account once you reboot.

I.e.... "dsget user <dn> -disabled no"


From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 5:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

We don't have any account that can logon to the DC servers other then the administrator which is disabled.

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, January 08, 2009 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

DCs don't use the local SAM.

The command you want is:
At hh:mm /interactive cmd

That will give you a cmd session from which to launch anything you want, including aduc.msc. hh:mm needs to be in 24 hour format.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Isn't the local system account local and thus not able to run the ADUC? Can you send me the syntax command for AT?

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Is there an account you can use to log into the DC, e.g. a backup operator or some such? If so, you can run the AT command to run ADUC under the local system account.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

2k3 enterprise


________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

What version of Windows on the DC?

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD

I inadvertently disabled the only AD administrator account that I have the password to. Is there a way to re-enable it.

GilUser is Offline

Posts:315

01/08/2009 6:32 PM  
Note the "inadvertently" in the OP. I'm guessing it's a small 1-2 DC shop with no real AD management.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Craig, Coleman
Sent: Thursday, January 08, 2009 4:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

I am not trying to pile on but we don't disable our domain built-in Administrator account. We just limit him to a local logon (DC's are locked in the datacenter) and require a two-factor auth.


From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 6:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Is there a scheme where you can mount the drive in a different box and run l0phtcrack (or equiv) to find the DSRM password? I thought I heard about someone doing that once.

But really, if you don't have a way to restore your DC from backup, you shot yourself in the foot a long time ago. :(

-g

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

We don't have that capability. Is there any other way?


________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Craig, Coleman
Sent: Thursday, January 08, 2009 4:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Do you have the Directory Services Restore Mode user and password?

If you can log in then you could schedule a task\script or a runonce to re-enable the account once you reboot.

I.e.... "dsget user <dn> -disabled no"


From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 5:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

We don't have any account that can logon to the DC servers other then the administrator which is disabled.

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, January 08, 2009 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

DCs don't use the local SAM.

The command you want is:
At hh:mm /interactive cmd

That will give you a cmd session from which to launch anything you want, including aduc.msc. hh:mm needs to be in 24 hour format.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Isn't the local system account local and thus not able to run the ADUC? Can you send me the syntax command for AT?

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Is there an account you can use to log into the DC, e.g. a backup operator or some such? If so, you can run the AT command to run ADUC under the local system account.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

2k3 enterprise


________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

What version of Windows on the DC?

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD

I inadvertently disabled the only AD administrator account that I have the password to. Is there a way to re-enable it.

dgavrilovUser is Offline

Posts:59

01/08/2009 6:40 PM  
You should pursue the "at" approach. You need to run a script as LocalSystem (which has full control over BuiltinAdmins group) and add some other user there. Something simple like "net localgroup /add" should do I think. I wonder if there's a way to do this via remote WMI somehow...

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Craig, Coleman
Sent: Thursday, January 08, 2009 3:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Ouch.

Not unless you have another DA or Admin account, or an account that can launch a scheduled task as SYSTEM on a DC.

As per the other user's suggestion of doing a Authoritative Restore you will need the DSRM user and pwd.

I don't suppose this is a child domain and you can contact your EA....


From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 6:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

We don't have that capability. Is there any other way?


________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Craig, Coleman
Sent: Thursday, January 08, 2009 4:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Do you have the Directory Services Restore Mode user and password?

If you can log in then you could schedule a task\script or a runonce to re-enable the account once you reboot.

I.e.... "dsget user <dn> -disabled no"


From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 5:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

We don't have any account that can logon to the DC servers other then the administrator which is disabled.

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, January 08, 2009 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

DCs don't use the local SAM.

The command you want is:
At hh:mm /interactive cmd

That will give you a cmd session from which to launch anything you want, including aduc.msc. hh:mm needs to be in 24 hour format.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Isn't the local system account local and thus not able to run the ADUC? Can you send me the syntax command for AT?

________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

Is there an account you can use to log into the DC, e.g. a backup operator or some such? If so, you can run the AT command to run ADUC under the local system account.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

2k3 enterprise


________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD

What version of Windows on the DC?

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD

I inadvertently disabled the only AD administrator account that I have the password to. Is there a way to re-enable it.

NilsKUser is Offline

Posts:105

01/08/2009 6:54 PM  
He can't do that as he does not have an account that can log on locally
(as he replied).
Remote WMI could be possible but it would require an administrative
account ...

We can turn it around and around, you do need an admin account or at
least one that can log on locally. (BTW wasn't there a change in some SP
that prevented non-admin users from defining Local System tasks, screen
savers and the like?)


Dmitri Gavrilov schrieb:
>
> You should pursue the "at" approach. You need to run a script as
> LocalSystem (which has full control over BuiltinAdmins group) and add
> some other user there. Something simple like "net localgroup /add"
> should do I think. I wonder if there's a way to do this via remote WMI
> somehow...
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Craig, Coleman
> *Sent:* Thursday, January 08, 2009 3:14 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] lock out of the AD
>
>
>
> Ouch.
>
>
>
> Not unless you have another DA or Admin account, or an account that
> can launch a scheduled task as SYSTEM on a DC.
>
>
>
> As per the other user's suggestion of doing a Authoritative Restore
> you will need the DSRM user and pwd.
>
>
>
> I don't suppose this is a child domain and you can contact your EA....
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Antonio Aranda
> *Sent:* Thursday, January 08, 2009 6:06 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] lock out of the AD
>
>
>
> We don't have that capability. Is there any other way?
>
>
>
>
>
> ------------------------------------------------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Craig, Coleman
> *Sent:* Thursday, January 08, 2009 4:55 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] lock out of the AD
>
>
>
> Do you have the Directory Services Restore Mode user and password?
>
>
>
> If you can log in then you could schedule a task\script or a runonce
> to re-enable the account once you reboot.
>
>
>
> I.e.... "dsget user <dn> -disabled no"
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Antonio Aranda
> *Sent:* Thursday, January 08, 2009 5:47 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] lock out of the AD
>
>
>
> We don't have any account that can logon to the DC servers other then
> the administrator which is disabled.
>
>
>
> ------------------------------------------------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Crawford, Scott
> *Sent:* Thursday, January 08, 2009 4:28 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] lock out of the AD
>
>
>
> DCs don't use the local SAM.
>
>
>
> The command you want is:
>
> At hh:mm /interactive cmd
>
>
>
> That will give you a cmd session from which to launch anything you
> want, including aduc.msc. hh:mm needs to be in 24 hour format.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Antonio Aranda
> *Sent:* Thursday, January 08, 2009 4:23 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] lock out of the AD
>
>
>
> Isn't the local system account local and thus not able to run the
> ADUC? Can you send me the syntax command for AT?
>
>
>
> ------------------------------------------------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gil Kirkpatrick
> *Sent:* Thursday, January 08, 2009 4:14 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] lock out of the AD
>
>
>
> Is there an account you can use to log into the DC, e.g. a backup
> operator or some such? If so, you can run the AT command to run ADUC
> under the local system account.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Antonio Aranda
> *Sent:* Thursday, January 08, 2009 3:08 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] lock out of the AD
>
>
>
> 2k3 enterprise
>
>
>
>
>
> ------------------------------------------------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gil Kirkpatrick
> *Sent:* Thursday, January 08, 2009 4:03 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] lock out of the AD
>
>
>
> What version of Windows on the DC?
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Antonio Aranda
> *Sent:* Thursday, January 08, 2009 3:01 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] lock out of the AD
>
>
>
> I inadvertently disabled the only AD administrator account that I have
> the password to. Is there a way to re-enable it.
>

--
www.kaczenski.de <http://www.kaczenski.de>
MVP Windows Server: Directory Services
Auf nach Cappuccino: Das neue Buch meiner Frau!
<http://www.stephanie-schneider.de/die-buecher/auf-nach-cappuccino/>
www.faq-o-matic.net <http://www.faq-o-matic.net>: Die technische Community
MVP-Profil: https://mvp.support.microsoft.com/profile/Nils.Kaczenski

michael1User is Offline

Posts:438

01/08/2009 6:56 PM  
Group management via WMI, sure - with proper credentials.



But I sure as H@#% hope there is no way to do this remotely without
credentials!



Regards,



Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP

My blog: http://TheEssentialExchange.com/blogs/michael

I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Thursday, January 08, 2009 6:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



You should pursue the "at" approach. You need to run a script as LocalSystem
(which has full control over BuiltinAdmins group) and add some other user
there. Something simple like "net localgroup /add" should do I think. I
wonder if there's a way to do this via remote WMI somehow.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Craig, Coleman
Sent: Thursday, January 08, 2009 3:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Ouch.



Not unless you have another DA or Admin account, or an account that can
launch a scheduled task as SYSTEM on a DC.



As per the other user's suggestion of doing a Authoritative Restore you will
need the DSRM user and pwd.



I don't suppose this is a child domain and you can contact your EA..





From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 6:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



We don't have that capability. Is there any other way?





_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Craig, Coleman
Sent: Thursday, January 08, 2009 4:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Do you have the Directory Services Restore Mode user and password?



If you can log in then you could schedule a task\script or a runonce to
re-enable the account once you reboot.



I.e.. "dsget user <dn> -disabled no"





From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 5:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



We don't have any account that can logon to the DC servers other then the
administrator which is disabled.



_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, January 08, 2009 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



DCs don't use the local SAM.



The command you want is:

At hh:mm /interactive cmd



That will give you a cmd session from which to launch anything you want,
including aduc.msc. hh:mm needs to be in 24 hour format.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Isn't the local system account local and thus not able to run the ADUC? Can
you send me the syntax command for AT?



_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



Is there an account you can use to log into the DC, e.g. a backup operator
or some such? If so, you can run the AT command to run ADUC under the local
system account.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



2k3 enterprise





_____

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 08, 2009 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lock out of the AD



What version of Windows on the DC?



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda
Sent: Thursday, January 08, 2009 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] lock out of the AD



I inadvertently disabled the only AD administrator account that I have the
password to. Is there a way to re-enable it.


You are not authorized to post a reply.
Page 1 of 3123 > >>

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] lock out of the AD



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:cajoe64
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5291
People OnlinePeople Online:
VisitorsVisitors:73
MembersMembers:0
TotalTotal:73
Online NowOnline Now:

Ads

Copyright 2012 ActiveDir.org
Terms Of Use