Help! SBS 2003 Login issue after MS updates

[viperbri68]

After letting the MS critical updates download and install on our Small Business Server 2003 it asked to restart. I restarted the server now we can't login to the server console on our Administrator account. I even tried to remote desktop to the server and received the account / login does not exist or is the wrong password.

Since the client workstations (all XP) could still login to the domain, print, browse the net, get email (Exchange), and access the file shares we could still work. I installed the Admin Pack on one of the XP workstations so I could look at the Active Directory Users and Computers. I connected to the server and could see all my users, except...my Administrator account was not there! Unfortunately I did not have a backup Administrator account (I know bad idea, but it was a small secured network).

So my question is...how do I fix this? I can't re-create an Admin account even though I have access to the Active Directory because I don't have another user that has enough rights to do that.

What are my options? Help! Thanks.

[cluberti]

Please tell me you have a recent system state backup on that server...

[viperbri68]

Please tell me you have a recent system state backup on that server...

Well, if I do I can't tell as BackupExec runs on the server and I can't login the server to check the backup (catch 22)

[cluberti]

You can try booting the server in AD Restore Safe Mode, and if you can login you can create an account. However, if you truly did delete the only admin account in the AD, and can't get in to restore a backup, you're pretty well hosed.

[Stoic Joker]

You can try booting the server in AD Restore Safe Mode, and if you can login you can create an account. However, if you truly did delete the only admin account in the AD, and can't get in to restore a backup, you're pretty well hosed.

I know MS heavily restricted the system account a while back ... but I don't recall exactly when (and viper hasn't mentioned the SP level). (Anyhow...) There used to be an option (exploit) to run something under the system context by using the at command.

Is it possible they could run a user account creation script (using the system account's rights with the at command) to create a user in (at least) the Server Operators group to try an get partial control of the box?

It was a very effective privilege escalation hack back in the 2k days, I just don't recall when it was "fixed" (Eliminated).

[cluberti]

If you run W2K3SP1 or higher, the SYSTEM account on a DC no longer has any write access to the AD database, so it won't work. If it's RTM, however, it may be possible.

[nmX.Memnoch]

I didn't think it was possible to delete the BUILTIN\Administrator account...even if it was renamed?

[cluberti]

I didn't think it was possible to delete the BUILTIN\Administrator account...even if it was renamed?

You can delete the admin account from AD - it's not a local account (DCs don't have local account SAMs).

[viperbri68]

Thanks for the replies guys. I am nearly positive we had not installed SP1 yet. I thought you couldn't delete the administrator account either but I guess that makes sense it could get deleted from AD. I just don't understand how a windows update would delete it because it happened right after rebooting from the windows update installs.

Any tips on the user elevation scripts?

[Stoic Joker]

Thanks for the replies guys. I am nearly positive we had not installed SP1 yet. I thought you couldn't delete the administrator account either but I guess that makes sense it could get deleted from AD. I just don't understand how a windows update would delete it because it happened right after rebooting from the windows update installs.

Any tips on the user elevation scripts?

Things needed:

1. Any account that can initiate a console session on the server.

2. A script that will create a user account and add it to User Group X (Might as well go for broke and try the Domain Admins group). But make sure you give it a complex enough password that it doesn't "trip" over the GP password complexity requirements.

3. A rey of hope that SP1 was not installed

A bit of background on what we're attempting:

The AT command is an command line Task Scheduler, that by default runs under the System context and therefore has all the privliges of the System account.

It's been a while since I used this so some googleing may be in order to get the syntax for the command right. but the object is to use the AT command to set the (user creation) script to run one minute in the future, wait that minute for the script to run, then log off and (hopefully) log back on with the newly created (administrative) user account.

Yes I am being intentially sketchy with some of the details ... but I'm trying to give you enough information to get the job done, without completely outlining how to hack a box that some id10t script kiddie might try to missues. (not to mention that this has got to be right on the razor edge of the forum rules).

Good Luck Man!

Stoic Joker

Edited June 30, 2007 by Stoic Joker

[Idontwantspam]

The well-known AT trick doesn't appear to work unless you have Administrator privileges. Logon as a regular or power user, and type at into the command prompt. You get Error: Access Denied. I don't know much about AD or Server 2k3, but if you can logon with an admin account, run this at command prompt (not the stuff I put in ~comments~)

echo %time% ~This shows the current system time
at ~put in the current time + 1 minute or so here~ /interactive cmd.exe

Now, wait for a minute and the new command window will open. It's running as NT_AUTHORITY\SYSTEM. You can figure out what to do from here - you have a command window running as system.

I dunno, this is odd. Moderators, if this is too detailed and could be exploited, feel free to PM me or delete it. But most script kiddies can't use this to hack a box since this only works from an admin account. I hope this helps.

[cluberti]

I just don't understand how a windows update would delete it because it happened right after rebooting from the windows update installs.

The likelihood that a Windows Update was able to delete something in AD is pretty much nil, but the other part of your statement is where I would start poking around at - the reboot. It's much more likely that something else was done while the box was up that required a reboot (malicious or otherwise), and the reboot after the Windows Updates caused the problem.

As to the problem, I do remember having to do this once, and I remember it working on a 2003 RTM machine (it wasn't SBS, however, so I can't speak to that). The AT trick didn't work, but setting the default screensaver in the registry to cmd.exe instead of logon.scr seems to sound very familiar.

[Stoic Joker]

The AT trick didn't work, but setting the default screensaver in the registry to cmd.exe instead of logon.scr seems to sound very familiar.

No dice on that one either (I just tried), permission denied writing to .Default user key. How ever I think you are on to something (memory = jogged) If he uses a WindowsPE disk (adding RAID drivers if/as needed) he can gain write access to the file system on C:.

Then rename logon.scr to logon.bak (so it can be put back later), then copy cmd.exe to logon.scr.

Reboot back to the harddrive but don't login.

Wait 15min (Default SS timeout) and he's got a running with system rights comand prompt, that thinks it's a screensaver.

[Stoic Joker]

Crap ... Make that none of the above. I've been trying to hack a copy of Win2000 for an hour with no joy.

I sent viper a PM with a link to a (Um...) "Security" site that had instructions on a known working method of accessing the necessary creds via DSR mode.

I guess we suck at hacking... *Sigh* (lol)

[viperbri68]

sj-

Thanks for trying it out and thanks for the PM. I will let you know once I go onsite to the customer to see how it works out.