I admit it. In one of my test environments, I've now been caught out too. I forgot the password...
But it's actually a good thing, because I can now check whether the good old workaround via "Utilman" still works. The good news: Yes, it still works!
Here again the way how local administrator passwords, or also the domain administrator password can be reset. If I remember correctly it works since Windows 2000...?!
This small, inconspicuous icon on the lock screen is called Utilman.exe:
Clicking on it opens a menu with which, for example, the on-screen keyboard can be activated:
This small, inconspicuous icon is now the door opener, as it is started with system rights. To reset the password, all you need is a boot CD, such as the Windows Server 2016 installation disk. Alternatively, a USB stick or similar will also work. In principle, anything that can be booted from and can read/write NTFS.
The procedure is very simple. The server is restarted and booted from the Windows Server 2016 disk
The Windows 2016 data carrier offers "computer repair options":
The "Troubleshooting" option can now be selected in the computer repair options:
The command prompt can now be started:
A normal CMD now opens here:
The CMD can now be used to change to the local hard disk in the directory c:\Windows\System32:
First a backup of the Utilman.exe file is created and then Utilman.exe is overwritten with cmd.exe:
Utilman.exe is now cmd.exe. Here is an overview of the commands:
c: cd windows cd system32 copy Utilman.exe Utilman.exe_bak copy cmd.exe Utilman.exe
The server will now start normally again. However, clicking on the small inconspicuous icon now opens cmd.exe:
As already mentioned at the beginning, Utilman.exe is executed with the user system and therefore has access to EVERYTHING:
To display the users, it is sufficient to execute "net user":
The password of the "LocalAdmin" user can then be reset with the following command:
net user LocalAdmin P@ssw0rd
That was all. The LocalAdmin user now has the new password and can log in directly. This method also works on domain controllers.
After the password has been reset, the original Utilman.exe must be restored. So start it again from the Windows disk and open a shell:
Now restore the backup in the CMD:
The original function is restored after a restart:
In case anyone had the following thought process for even a millisecond: "I could leave it like this...":
NO!
