Locked out of all Domain Administrator accounts on Windows Server 2008 R2 DC

djthrive

New Member
Thanks in advance for your time. I have been unsuccessfully trying to backdoor back into my domain controller (Win Server 2008 R2), but maybe there's a utility or solution I haven't tried yet. Both mine and my backup admin's domain admin accounts are locked out (with no timeout, as this is a hardened/secured system). Some key details: Local admin is disabled, there is a third domain admin account that is also disabled, and I do have a standard domain user account on the system as well.

Perhaps there is a utility I can use to simply enable the disabled backup admin account and change its password, or one I can use to promote my user account to an admin account?

I was thinking one of those 2 options is an easier approach than trying to figure out to unlock my locked domain admin account? Just desperate for thoughts/opinions here, thanks for any info you can provide.
 

Neemobeer

Windows Forum Team
Staff member
The local administrator account on the domain controller should have access to unlock accounts. You can use the NT Offline password reset tool on the DC to enable/reset the password then unlock your domain admin account(s)
 

djthrive

New Member
The local administrator account on the domain controller should have access to unlock accounts. You can use the NT Offline password reset tool on the DC to enable/reset the password then unlock your domain admin account(s)
Thanks for the reply. My challenge is that the local admin account is disabled (by design, since this is a secured system). I'm not sure the NT Offline password reset tool will be able to enable the local admin account?
 

djthrive

New Member
Yes it can.
Anytime I've tried to access the NT Offline password changer (from Hirens or other boot cds), I get a "Kernel panic" error and it won't start. Do you know another way to get into this utility, or how to fix the Kernel panic error? I don't know of a way to access this from the DC.
 

djthrive

New Member
Update/new challenge (and appreciate you taking time to read this)….long story short: Was able to bring up the command prompt at the Ease of Access button (described here: https://www.howtogeek.com/106333/how-to-reset-your-forgotten-domain-admin-password-on-server-2008-r2/), and unlocked the accounts using this command: “net user username /domain /active:yes”


BUT, when I attempt a login on the DC with my domain admin account, I now get the error: “The security database on the server does not have a computer account for this workstation trust relationship”


When I attempt a login from a workstation with the same account (after a reboot), I get the error: “The username or password is correct”. When I attempt a login with the newly unlocked user account (that hasn’t previously logged into this workstation), I get the error: “There are no logon servers available to service this request”


I know I fudged up Active Directory when I tried to do a “Repair” on the NTDS database using that PC Unlocker utility, because it never completed, so I had to hard power down the DC, then couldn’t even log in with my standard domain user account (error was “The security database on the server does not have a computer account for this workstation trust relationship”). I still have access to this command window, but now have to start looking at what I can do to repair NTDS/Active Directory.
 
Top