Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / How to Reset Active Directory Domain Admin Password

June 8, 2023

How to Reset Active Directory Domain Admin Password

In this article, we’ll look at the Active Directory domain administrator password reset scenarios. You may need it in cases where domain administrator privileges have been lost due to forgetfulness or deliberate sabotage by a retiring administrator, a hacker attack, etc. To successfully reset a domain administrator password, you must have physical or remote access to the AD domain controller console (iLO, iDRAC, or VMware vSphere/Hyper-V/Proxmox console when using a virtual DC).

In this example, we are going to reset the administrator password on a domain controller that is running Windows Server 2019. If there is more than one domain controller on the network, you can reset the Domain Admin password on any of them.

Contents:
  • How to Reset a Lost Domain Administrator Password If You Don’t Know DSRM Password?
  • Resetting the Domain Admin Password on a Virtualized Domain Controller
  • Reset Domain Administrator Password from DSRM

In order to reset a domain administrator password, you must access the Directory Services Restore Mode (DSRM) using the DSRM administrator password (set when the Windows Server is promoted to the domain controller). In fact, it is a local administrator account stored in a local SAM database on the domain controller. Use method 1 or 2 if you do not know the DSRM password.

How to Reset a Lost Domain Administrator Password If You Don’t Know DSRM Password?

Boot your server from any Windows installation media (this can be a Windows installation USB stick or an ISO image):

  1. Press Shift+F10 to open the command prompt on the Windows Setup screen;
  2. Now you need to know the letter assigned to the partition where your Windows Server is installed. Run the command: wmic logicaldisk get volumename,name
    In my example, you can see that my offline Windows Server image is on C:. This is the drive letter we will use in the following commands. windows server identify drive letters
    You can also identify discs in Windows using diskpart: diskpart -> list disk -> list vol diskpart list volumes
  3. Backup the original utilman.exe file:
    copy C:\windows\system32\utilman.exe C:\windows\system32\utilman.exebak
  4. Then replace the utilman.exe file with the cmd.exe:
    copy c:\windows\system32\cmd.exe c:\windows\system32\utilman.exe /y
    replace utilman.exe with cmd.exe
  5. Extract the boot image (USB/ISO) and reboot your host: wpeutil reboot
  6. After the domain controller has been booted, click the ‘Easy Access’ button on the login screen. This will open a command prompt;
  7. Run the whoami command to make sure that the command prompt is running as NT Authority\SYSTEM; Run elevated command promt on Windows Server logon screen
  8. List information about the Administrator account: net user administrator check domain admin account
  9. In this example, you can see that this user is a member of the Domain admins group and is now disabled:
    Account active: No
  10. Enable the domain administrator account:
    net user administrator /active:yes
  11. You can now reset your domain administrator password:
    net user administrator *
    Set a new administrator password (the new password must match the domain password policy);. Reset domain administrator password on Windows Server domain controller
  12. Boot your server from the installation media again and replace utilman.exe with the original file (to avoid leaving a security hole in the server):
    copy c:\windows\system32\utilman.exebak c:\windows\system32\utilman.exe /y
  13. Restart your domain controller in the normal mode and make sure that you can now log on to your DC using the new domain administrator password.

Resetting the Domain Admin Password on a Virtualized Domain Controller

If you have a virtualized domain controller running on any hypervisor (ESXi, Hyper-V, Proxmox), you can use the DSInternals PowerShell module to reset the administrator password.
To do it:

  1. Shut down the VM running the AD DS role (domain controller) and connect its virtual drive (vhdx, vmdk, etc.) to any other VM running Windows. Assign it a drive letter, for example, E:;
  2. Install the DSInternals module from the PowerShell Gallery:
    Install-Module DSInternals –Force
    PowerShell modules can be installed offline when an Internet connection is not available.
  3. Get a boot key used to encrypt password hashes in your AD database (ntds.dit):
    $bootkey= Get-BootKey -SystemHiveFilePath "E:\Windows\System32\config\SYSTEM"
  4. You can now obtain information about any user account in the AD database:
    Get-ADDBAccount -SamAccountName 'Administrator' -DBPath "E:\Windows\NTDS\ntds.dit" -BootKey $bootkey
  5. If the domain administrator account is disabled, enable it and set a new password:
    Enable-ADDBAccount -SamAccountName 'Administrator' -DBPath "E:\Windows\NTDS\ntds.dit"
    Set-ADDBAccountPassword -SamAccountName 'administrator' -DBPath "E:\Windows\NTDS\ntds.dit" -BootKey $bootkey

    Set-ADDBAccountPassword - reset AD domain admin password
  6. Disconnect the virtual drive, re-connect it to the source VM, and power on the domain controller;
  7. After that, the new domain administrator password will be replicated to all DCs.

Reset Domain Administrator Password from DSRM

If you know the DSRM administrator password, you can boot your DC into DSRM by selecting the appropriate option from the Advanced Boot Options menu.

Boot DC into DSRM mode

Enter the local user name (administrator) and the password (DSRM password) on the logon screen. Logon domain controller with DSRM administrator

In this example, the domain controller name is DC01.
Let’s check which user is logged into the system by running the command:

whoami /user

USER INFORMATION
----------------
User Name          SID
================== ============================================
dc01\administrator S-1-5-21-3244332244-312345677-2454632109-500

As you can see, we are logged in as the local admin user.

The next step is to change the Active Directory administrator password (by default, the account is also called Administrator). To reset the password of the domain administrator, we are going to create a service that will reset the password of the administrator account under SYSTEM:
sc create ResetADPass binPath= "%ComSpec% /k net user administrator P1SSsw0rd21!" start= auto

Note. Note that a space is required between the ‘=’ sign and its value when setting the path in the binPath variable. Also, the new password must meet the domain’s requirements for password length and complexity.

Ensure that the service has been created:
sc qc ResetADPass

[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ResetADPass
TYPE               : 10  WIN32_OWN_PROCESS
START_TYPE         : 2   AUTO_START
ERROR_CONTROL      : 1   NORMAL
BINARY_PATH_NAME   : C:\Windows\system32\cmd.exe /k net user administrator P@ssw0rd1
LOAD_ORDER_GROUP   :
TAG                : 0
DISPLAY_NAME       : ResetADPass
DEPENDENCIES       :
SERVICE_START_NAME : LocalSystem

Restart the domain controller in the normal mode:
shutdown -r -t 0
On startup, the service we’ve created changes the Domain Admin password to P1SSsw0rd21!. Use this account and password to log in to the DC.
whoami /user

USER INFORMATION
----------------
User Name             SID
===================== ============================================
corp\administrator S-1-5-21-1737425439-23123122-1234318981-500

Then delete the Windows service that we have just created:
sc delete ResetADPass

[SC] DeleteService SUCCESS

In this article, we have a look at how you can reset the password of an AD domain administrator. We would like to reiterate the importance of ensuring the physical security of your IT infrastructure. If someone other than authorized personnel has local access to your physical host running your domain controllers, they can easily reset any user or administrator password. If you need to deploy DC in less trusted locations, it is recommended that you use a read-only domain controller (RODC) feature.

5 comments
8
Facebook Twitter Google + Pinterest
Active DirectoryWindows Server 2016Windows Server 2019
previous post
Installing Windows 11 with a Local User Account
next post
How to Protect Windows Against Viruses and Ransomware with Built-in Tools

Related Reading

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

Allow Non-admin Users RDP Access to Windows Server

March 16, 2024

Configuring Windows Firewall Rules Using Group Policy

March 15, 2024

Copy Files and Folders to User Computers via...

March 15, 2024

How to Disable NTLM Authentication in Windows Domain

March 16, 2024

Configure Windows LAPS (Local Administrator Passwords Solution) in...

March 15, 2024

How to Install the PowerShell Active Directory Module...

March 15, 2024

5 comments

Km October 29, 2023 - 10:22 am

Hi Thank you for sharing the article, I’ve follow your instruction for “Reset Domain Administrator Password from DSRM” however, instead of the domain administrator password the Service reset the DSRM password. Is that anything I done wrong?

Reply
BP December 7, 2023 - 9:13 pm

@KM
It’s same in my case.
Seems that the method doesn not work.

Reply
AK December 15, 2023 - 6:48 pm

@BP @KM
It does work, however you’re probably stuck in DSRM (safe mode after reboot) which will always run against local admin. Be sure to set normal boot mode (I used msconfig.exe) after setting up the password reset service then the command will run against domain\administrator rather than DSRM .\administrator.

Reply
Ko May 27, 2024 - 11:01 pm

This does not work even after booting in normal mode. Any suggestions?

Reply
NJ February 5, 2025 - 9:28 pm

“Reset Domain Administrator Password from DSRM” Worked for me! and saved my arse with forgotten password from an old backup! Thank you so much

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • How to Find the Source of Account Lockouts in Active Directory
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Adding Domain Users to the Local Administrators Group in Windows
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top