Reset Admin Pass - Domain Controller Gone

Question

I am not a Microsoft person and I need to maintain some old servers.

The Domain Controller was removed from the network a while back and a Windows Server 2008 R2 is running a very important database. For security reasons we need to change the Admin password but get an error saying that it cannot connect to the DC.

I really don't care to have a DC for this computer, I just want to change the Admin pass.

Is there any way to remove the computers requirement to have a DC? Can we just change it to have a localized authentication?

I know the current domain/admin pass and CAN log in (cached), but I cannot change the password.

Answer 1

First of all, it sounds like the machine has cached credentials which are allowing users to login with domain\administrator. That's why users can login, but you can't change it - loging in can be done with cached credentials, changing a domain password requires connectivity to a domain controller.

Probably the quickest way to remediate this is to unjoin the computer from the domain. Make sure you have the (or a) local administrator's credentials before doing that, though.

As noted in other answers, the command is netdom remove computername /Domain:domain /UserD:user /PasswordD:* /Force. You can also do so through the computer properties, Computer name, domian and workgroup settings by changing the computer's domain from the domain it's on to any workgroup name you fancy.

If you don't have local administrator credentials, there are a couple ways to reset a password on a Windows machine.

One is to use a utility like the "Ultimate Boot CD" - boot the machine to CD, and select the NT password rest tool. The other popular, native option is to use your Windows install CD to enter a recovery console, swap cmd.exe with utilman.exe, reboot, and launch the ease-of-use/accessibility tool, which has been replaced with cmd.exe. You can then reset the password with net user. Don't forget to switch cmd.exe and utilman.exe back once you're done.

Finally, it's bad practice to log in with the default administrator password, in general. (It's like using root in Linux-land, but less excusable. In Windows-land, best practice is to disable or rename the default Administrator user.) Extra bad to do so with the default domain administrator password, and extra, extra bad to have a bunch of users logging on with the default domain administrator password. Your next order of business after fixing this issue is to fix your policies, ASAP.

Answer 2

Sounds like you need to enable the local administrator account. You can fire up lusrmgr.msc (Local users and groups) and then either enable/create a local administrator account. Then go through the disjoin process, otherwise you'll be high and dry when it comes to logging in locally.

Here's a link to technet on the detailed steps: https://technet.microsoft.com/en-us/library/cc770642.aspx

Answer 3

The answer might depend on what situation is in your site regarding domains, after that DC was removed. Do you have another DC? Are you required to have that server on a domain?

Make sure you have a local admin password before continuing (that is not clear from your question, you just say "I know the current admin pass and can log in", you don't specify if it is local or domain admin).

If disjoining from the domain is appropriate, you could use

netdom remove computername /Domain:domain /UserD:user /PasswordD:* /Force

Type netdom remove /? for the full command usage. The /Force option is what you're looking for. Per the help:

Forces the unjoin of the machine from the domain even if the domain is not found or does not contain the matching computer object.

The logic is that after disjoining the domain, you should be able to change the password without contacting any domain controller.

Credits: got this answer from user mweisel here.