Changing a Lost Domain Administrator Password
If you wish to change or reset only the password for the Domain Administrator user account (MyDomain\Administrator) – without reloading Active Directory – you can use the following procedure. This allows you to regain control of your domain if you forgot the password.
If You Also Lost the DSRM Password
This procedure requires that you know the Directory Services Restore Mode (DSRM) password. If you have also lost the password for the DSRM account (.\Administrator), you can recover it by using a standard desktop PC lost-password recovery tool:
- Windows Server 2016-2022 (Windows 10 and Windows 11 recovery tools)
- Windows Server 2012 R2 (Windows 8.1 recovery tools)
- Windows Server 2012 (Windows 8 recovery tools)
- Windows Server 2008 R2 (Windows 7 recovery tools)
Procedure
After you have obtained (or recovered) the DSRM password, run U-Move to change the Domain Administrator password.
- On the Primary Domain Controller (PDC) boot DSRM and log on.
- Install U-Move. (If you receive the error message “The system administrator has set policies to prevent this installation,” see below.)
- Run U-Move.
- On the Welcome page, right-click and select Change domain password. The Change Domain Password page will appear.
- Type the new password for the Domain Administrator account. In the confirmation box type the password again.
- Click Next and Finish. The domain controller will automatically reboot back to normal operation.
- After the logon prompt appears, wait 30 seconds while the password is changed.
- Log on to MyDomain\Administrator, where MyDomain is the domain name. (The name for 'Administrator' may vary by language or if the name was changed previously.)
If the Domain Administrator account was disabled, U-Move will automatically enable it.
If the new password fails, reboot into DSRM and check the Event Log for error messages. If U-Move was unable to change the password the reason will be written to the Application Event Log.
If the Administrator Account Was Renamed
If you still cannot log on (and the Event Log reports that U-Move successfully changed the password) it is possible that the Administrator account was previously renamed. To discover the true name of the Administrator account reboot into DSRM and run NOTEPAD.EXE to open the U-Move trace log file, (C:\Program Files\UMove\TraceLogs\UMoveTrace.txt).
In the trace file look for the following text line:
Administrator DN is CN=TheAdmin,OU=Users,DC=WestCoast,DC=com
In the above example the correct logon account name is
westcoast.com\TheAdmin
.
In the logon box carefully type in the name of the domain
(westcoast.com
) followed by a backslash (\
)
followed by the administrator account name (TheAdmin
).
The PDC Emulator Should Be Used to Change the Password
In order to change the Domain Administrator password, the domain controller should own the Primary Domain Controller (PDC) emulator role. A non-PDC will attempt to forward the change-password request to the PDC. If the PDC is not reachable on the network, the password change request will generate error messages in the Event Log. (If there is a discrepancy between passwords on a non-PDC and a PDC, the password on the PDC will take precedence.)
Unable to install U-Move in DSRM
If you are unable to install U-Move because of the error message The system administrator has set policies to prevent this installation, you will need to modify a registry value. Run REGEDIT.EXE. Locate the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option. Change the registry value OptionValue from 3 to 0.
If you continue to receive the error message, see additional workarounds at KB925336.
Spurious Error Message
A yellow warning message may appear in the System Event Log for SChannel. The error message is spurious and can be ignored (Event ID 36872).
U-Move for Active Directory |