Accessing a Protected Domain Administrator Account

As a good practice measure, the default domain administrator account which comes pre-installed with every Active Directory should be guarded from misuse. We all know this. To follow in this good practice, the account should be renamed from the default name and disabled.

So what happens if this account is the one you have to use to recover from a problem? Let’s say, for example, that all of your usual domain administrative accounts are somehow not accessible for use and requires you to get to this account. If it’s disabled, what do you do?

Should you find yourself in the scenario that you have a disabled administrator account AND know the password --

• Boot up the domain controller to Safe Mode (make sure it is not Safe Mode w/ Networking.) This quasi-enables the account. You can at least log on with it.
• Using the account and password, log in.
• Open a command prompt and issue the following:

net user administrator /active:yes

Now you have an enabled default domain admin account. You can reboot the DC and presume as normal on what will probably be the worst day in your life. :)

 

Note: When you change the account password as a part of your routine process, make sure you verify that DCs receive the password change, in case you need it in a disaster scenario. You can easily validate replication by issuing the following command:

repadmin /showobjmeta <dc name> <admin account distinguished name>