{"id":975,"date":"2019-07-25T11:42:26","date_gmt":"2019-07-25T09:42:26","guid":{"rendered":"https:\/\/www.em-soft.si\/myblog\/elvis\/?p=975"},"modified":"2019-07-25T11:42:26","modified_gmt":"2019-07-25T09:42:26","slug":"reset-local-domain-administrator-password-on-server-2016-2019","status":"publish","type":"post","link":"https:\/\/em-soft.si\/myblog\/elvis\/?p=975","title":{"rendered":"Reset local domain\/Administrator password on Server (2016) 2019"},"content":{"rendered":"\n

In past I already wrote about resetting Administrator password in this post<\/a>. That was perfect for Windows 10 (till 1903) and Servers 2012 and 2016. Probably Microsoft was not really satisfied that users were able to \u201crecover\u201d lost passwords in such an easy way (this is my opinion). It is OK if these steps are used to reset your lost password, but not if you use them to reset a password from a stolen computer.<\/p>\n

I think that this is the reason that you cannot rename cmd.exe<\/em> in other executables and run it before you log in \u2013 for example to change the password. It makes sense, it is perfect for me as it is more secure. But someone forgot something: it is not a requirement to open CMD to use NET USER command, you can do it from PowerShell as well \u2013 and it\u2019s working also in Server 2019!<\/p>\n

Here are the steps (they are very similar as previous steps):<\/p>\n

    \n
  1. Boot from DVD \u2013 you need to access to Windows system drive offline \u2013 installation DVD has all tools that you need.<\/li>\n
  2. From menu select Repair your computer. This will give you the ability to change some files.\"\"<\/a><\/li>\n
  3. In the next menu select Troubleshot.\"\"<\/a><\/li>\n
  4. Select Command prompt. This is what we need \u2013 we want to modify some files.\"\"<\/a><\/li>\n
  5. Now you need to replace the file:\n
      \n
    1. Go to C:<\/strong> (supposing that C: is your system drive)<\/li>\n
    2. Type cd \\Windows\\System32<\/strong><\/em> \u2013 to enter into the folder<\/li>\n
    3. Type ren osk.exe osk.old<\/strong><\/em> \u2013 be smart, you need to preserve the original file and put it back at the end of the process! If you don\u2019t replace it again it means that you leave open a surface attack!!!<\/span><\/li>\n
    4. Replace the file with a copy C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe osk.exe<\/strong><\/em><\/li>\n<\/ol>\n<\/li>\n
    5. Reboot the server in normal mode.<\/li>\n
    6. From the logon screen choose Onscreen keyboard (as in picture).\"\"<\/a><\/li>\n
    7. PowerShell window will be opened \u2013 and you are a local system user!!! You can do a lot of things.<\/li>\n
    8. Change the password with command Net user Administrator Password<\/strong><\/em> \u2013 where Administrator is the username of local or domain administrator and Password is the password that you want to set.\"\"<\/a><\/li>\n
    9. Login to server with the new password \u2013 just to test that it is working.<\/li>\n
    10. Reboot the server and redo all the steps from 1 to 5<\/span>, but in the way to put back all things in the original state. You need to replace original onscreen keyboard:\n
        \n
      1. Go to C:<\/strong><\/li>\n
      2. Type cd \\Windows\\System32<\/strong><\/em><\/li>\n
      3. Type del osk.exe <\/strong><\/em><\/li>\n
      4. Replace a file with ren osk.old osk.exe<\/strong><\/em><\/li>\n<\/ol>\n<\/li>\n
      5. Reboot the server.<\/li>\n<\/ol>\n

        That\u2019s all. I recommend you to disconnect the server from the internet in the time you are doing these steps. In the same way you can access to the PowerShell window, it can be accessed by anyone who can see logon screen!<\/p>\n","protected":false},"excerpt":{"rendered":"

        In past I already wrote about resetting Administrator password in this post. That was perfect for Windows 10 (till 1903) and Servers 2012 and 2016. Probably Microsoft was not really satisfied that users were able to \u201crecover\u201d lost passwords in such an easy way (this is my opinion). It is OK if these steps are […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,15],"tags":[34,40],"class_list":["post-975","post","type-post","status-publish","format-standard","hentry","category-windows","category-windows-server","tag-windows-10","tag-windows-server"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/em-soft.si\/myblog\/elvis\/index.php?rest_route=\/wp\/v2\/posts\/975","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/em-soft.si\/myblog\/elvis\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/em-soft.si\/myblog\/elvis\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/em-soft.si\/myblog\/elvis\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/em-soft.si\/myblog\/elvis\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=975"}],"version-history":[{"count":2,"href":"https:\/\/em-soft.si\/myblog\/elvis\/index.php?rest_route=\/wp\/v2\/posts\/975\/revisions"}],"predecessor-version":[{"id":983,"href":"https:\/\/em-soft.si\/myblog\/elvis\/index.php?rest_route=\/wp\/v2\/posts\/975\/revisions\/983"}],"wp:attachment":[{"href":"https:\/\/em-soft.si\/myblog\/elvis\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=975"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/em-soft.si\/myblog\/elvis\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=975"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/em-soft.si\/myblog\/elvis\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=975"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}