U-Tools: Unique Tools for Windows System Administrators
U-Move Help

Changing the Domain Admin Password

In addition to setting the DSRM password, U-Move gives you the option of also assigning the same password to the Domain Administrator account. For example, if you restore Active Directory from an old backup you may have forgotten the old Domain Administrator password. This option allows you to regain access to the domain so that you are not locked out.

To change the Domain Administrator password, on the DSRM password panel check the box also assign this password to the Domain Administrator. On reboot U-Move will overwrite the password for the Domain Administrator.

If you previously disabled the Domain Administrator account, U-Move will enable it.

U-Move will do a “forced” password change. A forced password change overwrites the password without knowledge of the previous password.

Changing only the password

If you wish only to change the password (without reloading all of Active Directory) see Changing a Lost Domain Administrator Password.

Loss of EFS Recovery Agent Key

If you check the box to do a forced password change, U-Move will show a message box to warn you that you will lose your Recovery Agent Key to recover files from the Encrypting File System (EFS).

Warning: When doing a forced password change, you will lose your Encrypting Filesystem (EFS) Recovery Agent private key for the Domain Administrator account. This is because the computer needs to decrypt the credentials using the old password and then re-encrypt them again using the new password. Without the old password the EFS credentials cannot be re-encrypted. This means that you will lose the ability to recover previously encrypted EFS files.

During the cleanup step you can create a new EFS Recovery Agent certificate. The new certificate will be assigned to future encrypted EFS files, allowing you to recover files that are encrypted after the password change.

Because of the danger of losing your EFS Recovery Agent private key, you should do a forced password change only if you have completely forgotten the old Domain Administrator password. U-Move will display a warning message to remind you.

The PDC Emulator Should Be Used to Change Passwords

In order to change the Domain Administrator password, the domain controller that you are moving should own the Primary Domain Controller (PDC) emulator role. A non-PDC will attempt to forward the change-password request to the PDC. If the PDC is not reachable on the network, the password change request will generate error messages in the Event Log. (If there is a discrepancy between passwords on a non-PDC and a PDC, the password on the PDC will take precedence.)

Spurious Error Message

When doing a forced change of the password for the Domain Administrator account, a yellow warning message may appear in the System Event Log for SChannel. The error message is spurious and can be ignored (Event ID 36872).