How to reset the Domain Admin Password under Windows 2012 Server?

Requirements

You need:

1/ Local access to the Domain Controller (DC).
2/ Active@ Boot Disk with Active@ Password Changer
3/ Application to install and register services nssm.exe. This program is developed by Iain Patterson and it is free.
4/ Batch (command) file set_admin.cmd to activate and set administrator’s password. Download AdminTools archive (includes set_admin.cmd and 32/64-bit version for nssm.exe)

Step 0

- Boot your server with Active@ Boot Disk,
- Launch the Password Changer unlock the local Adminstrator’s account and reset it’s password.
- Create temporary folder on Windows Server system disk ( C:/Temp for example).
- Copy files nssn.exe, set_admin.cmd to your temporary folder (C:/Temp).
- Copy file cmd.exe from the windows system folder (C:/Windows/system32) to your temporary folder (C:/Temp).

Step 1

Restart Windows 2012 Server in Directory Services Repair Mode.

Note: Press F8 at machine start up and choose "Directory Services Repair Mode". It disables Active Directory. When the login screen appears, log on as a local Administrator. You now have full access to the computer resources, but you cannot make any changes to Active Directory.

Step 2

Install domain Administrator’s password changing command as service:
- Start command prompt application (right click cmd.exe and select Run as Administrator)
- Change directory to your temporary folder (C:/Temp)
- Type the command:nssm-32 install ServiceName or nssm-64 install ServiceName (where ServiceName is a service name, ex. PwdChng)
- in “NSSM service installer” in Application tab enter C:/temp/cmd.exe (where C:/temp is your temporary folder path) in Path: field.
- Then type C:/temp in Startup directory:
field and then type /K set_admin.cmd YOUR_PASSWORD, where YOUR_PASSWORD – new password for domain Administrator account (Replace YOU_PASSWORD with the password you want.).

Password Changer. Resetting Domain Admin Password

Note: The new password must correspond to Local Security Policy password rules such as 7 characters minimum and must contains small/capital letters, digits and special symbols (such as !,?,# etc.). Otherwise it will not be set.

- in “NSSM service installer” in Details tab set Startup type: as Automatic,
- then in Logon tab select Local System Account and check Allow service to interact with desktop
- After that press Install service button and wait for success pop-up window.

Step 3

- Restart Windows Server and wait for the login screen.
- You will not see the command prompt running the net user command as it is displayed on another desktop. But no worries, the command is still executed in the background.
- Log on as Administrator on your domain by using the password you set above. The system should grant you access.
- If not, go back to Step 2 and check you did not mistype any commands or values.

When the system is on and you have full access to your domain resources do not forget uninstall your new temporary service.

To do that run command prompt as Administrator set current folder as C:/temp and type and press Enter after each line:
nssm remove PwdChng
Check in registry that key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PwdChng does not exists anymore.

Now delete c:\temp and change the admin password again if you like.

Note: Domain Administrator account is disabled by default, so do not forget to disable it after you implement all desired changes in this Domain Controller. To do that run command prompt as administrator and type: net user Administrator /active:no

Alternatively, you can just launch Local Security Policy and disable this account.

Operating Procedures