This purpose of this post is to highlight another reason we need to keep Domain Controllers physically secure – in fact the principle here also applies to standard Windows Servers too.
My home test lab had been powered down for a few months and I’d forgotten my Domain Administrator password. I knew there was a method to log onto a Windows Server without a username and password back in Windows Server 2003 and I thought that surely this still wouldn’t work with Windows Server 2012 R2 – however to my horror it still did. Here is how I reset my Domain Administrator account password – scary stuff!
So I’d forgotten my Domain Administrator password. Time to attach the Windows Server 2012 R2 ISO to the VM.
Adjust the boot order to force booting from ISO first.
Boot to DVD/ISO
Restart the VM and boot to the DVD/ISO. Click Next on the first setup screen. On the following screen make sure you select “Repair your computer”.
Repair your computer
Then click on “Troubleshoot” followed by “Command Prompt”
You will now be presented with a Command Prompt. Change your directory to c:\Windows\System32. Then rename the Utilman.exe executable by running the command “ren Utilman.exe Utilman.exe.old”. Then make a copy of cmd.exe named Utilman.exe using the command “copy cmd.exe Utilman.exe”. See below screenshot.
Close the command prompt and restart the machine, booting back into the regular Windows logon screen. Once the logon screen is presented, press the “Windows Key” and “U”. Much to your horror you will see a Command Prompt appear. If you check Task Manager, you will see that the Command Prompt (executable called Utilman.exe) is running in the SYSTEM context. Given that this is a Domain Controller, effectively this mean the commands run within the Command Prompt are executed with the Domain Admin permission level.
To reset the Domain Administrator account password, we simply need to run the “net user Administrator password” command.
You can now close the Command Prompt and log onto the domain with the Administrator account and the newly set password.
I have also seen this work with the Sticky Keys executable (sethc.exe) being replaced instead of Utilman.exe.
Once again this highlights why we need to keep our Domain Controllers physically secure – from this demo you can see that anyone with physical access to the server can have control over your entire Active Directory domain in a very short amount of time!