Bummer: Disabled Domain Administrator Account

[Charlie.]

Hi,

Last Friday, I started re-installing our whole office network, one machine at a time. After three hard, long days, everything was working fine until this afternoon, when I tried to log in and received an error message stating that my account, the domain administrator, was disabled! (Oh Noes!)

Firstly, let us discuss cause: I suspect that this may have been caused by group policy changes. I cannot think of anything else that would have caused this. Come to think of it, I cannot think of a group policy setting that would have caused this!

Moving on, effect: NO ADMIN ACCESS to the domain controller (there is only one) or any domain settings. No, I had not got arround to setting up a secondary admin account. All the users are hapily working, I can't get in. (They have been up and running since noon)

Begging Part: Please help! I don't want to spend three days (and p*** off my users even more) by reinstalling again. I have full access to the box and can use the Directory Service Restore Admin (F8 during boot) to get access to the box, I could also use Knoppix, which has solved problems for me in the past)

Descriptive Bit: My domain controller is WIndows 2003 Server, Standard, OEM, SP1. Yes, I use NTFS on my Hardware Raid 1 SCSI drive.

Helpful Bit: I found a document on the internet that described how to change an admin password of a domain admin using a tool called SRVANY.EXE and Directory Restore Mode, I modified this tutorial and managed to use it to setup a new user account in active directory using NET USER. The new user account worked as a user account, but, despite my attempts to use the same tutorial's steps and the NET GROUP command, I could not promote the user to a domain admin.

Disparing Section: How can this happen? How can Microsoft take an action that results in every domain admin being disabled? Would Linux EVER do anything that disabled root?

Ponderous Speculation: I wonder if it is possible to demote the box and re-install AD? That would be bad, but not too bad. I wonder if it is possible to rollback group policy to earlier today?

Comic Relief: My lecturer back in 2001 always told me to create a second admin account in case this happened. He was refering to NT4 back then. I never thought it would happen to me.

Thanks for any suggestions or assistance,

Stephen Martindale

[RJARRRPCGP]

Disparing Section: How can this happen? How can Microsoft take an action that results in every domain admin being disabled? Would Linux EVER do anything that disabled root?

I have heard that Linux can do that if you mess up when using the chmod command!

[Charlie.]

Hi all, the problem is solved.

I managed to use SRVANY.EXE to run a command line script that used NET USER, NET LOCALGROUP and NET GROUP to setup a backdoor for myself. Anybody who wants the gory details should see the script written in this tutorial: http://www.windowsecurity.com/pages/article.asp?id=1148 (The script is the only part of the tutorial I used)

My first attempt at this method failed because I made my backdoor user a member of "Administrators" and not "Domain Admins" which I should have used. Newbie mistakes.

I hope this post solves someone elses problems.

DISCLAIMER: By reading this post, you agree to not use this for malicous purposes of any description. Good.

Stephen