Resetting domain admin password
I had an old Exchange 2010 lab environment which I needed to use to test some TLS settings. I booted it up, typed my password and bam.....not accepted.
I tried a few variations of the password and nothing! Scratching my head and a Google later I came across this
This blog post describes how you can use the Windows ISO to open command prompt on the DC, replace utilman.exe with cmd.exe. Boot up the DC again and then click the Accessibility option on the login screen.
Instead of launching utilman.exe it launches cmd.exe. More crucially, it does this under the SYSTEM context. So basically you have access to the whole machine. A net use command later and the admin password is reset.
It worked perfectly, but it is rather unsettling. If this was being used as a mechanism to attack your network, you can protect yourself in a few ways
- Alert if machine are rebooted. Clearly DCs shouldn't be rebooted unless there are planned updates or similar. This will not stop the attack, but will inform you that something is fishy.
- Restrict physical access - easier said than done, especially if VMs are involved. I did this whilst remotely connected to my home lab miles away!
- Encrypt the local drives - this will stop someone from see the local file system when mounting an ISO.