Domain Administrator Locked Out - Please Help!!!

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have a Windows 2003 Server and a Windows 2000 Server which are
domain controllers. When trying to logon on any workstation or server
on the domain as Administrator (domain) I am getting a "check
password" error. I am using the correct password, and I have also
reset the password from the Domain Controller to double check.

If I right-click on Administrator within the Users and Computers MMC
there is no option to unlock account.

As a background to what may have caused this problem, I was trying to
amend our domain policy.

We had originally amended the Default Domain Policy (not a good idea I
know now in hindsight), setting the password policy and lockout
policy. This was set to apply to users but not administrators.

I then needed to set something specifically for admins but not users,
so I created a new Administrators policy, and set this for admins but
not users.

Later in the day it was discovered our domain Administrator account
could not logon to a workstation, I panicked and started changing all
sorts of settings.

I ran a command on our 2003 server which I found on a website (cant
remember the command now) which was suppose to revert back to the
default domain settings, however I was then unable to edit the policy.
A few random clicks later I was able to edit policy, but I still do
not know how to logon as my domain Administrator account. I have
logged out of the Win 2000 server because it crashed and I could not
log back in as Administrator. I am now scared to logout of the Win
2003 server because I will not get back in! I have made a copy of the
Administrator account which at least has allowed me to login to the
Win 2000 server, but this is not the built-in administrator account.

I have not had a good day and any help would be appreciated. I will
try not to play in future!

Thanks.
7 answers Last reply
More about domain administrator locked help
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Did you rename the administrator account? If you did then you will
    have to set it back to what ever it was prior to that, or just modify
    the policy to show "not configured". This is located in the GPO MMC
    module under Computer Configuration, Windows Settings, Security
    Settings, local policies, security options. Look for Rename
    Administrator Account.

    Hope this helps

    Randy

    On Wed, 24 Nov 2004 23:37:29 +0000 (UTC),
    mvmobile@NOSPAMbtinternet.com (Mart) wrote:

    >
    >I have a Windows 2003 Server and a Windows 2000 Server which are
    >domain controllers. When trying to logon on any workstation or server
    >on the domain as Administrator (domain) I am getting a "check
    >password" error. I am using the correct password, and I have also
    >reset the password from the Domain Controller to double check.
    >
    >If I right-click on Administrator within the Users and Computers MMC
    >there is no option to unlock account.
    >
    >As a background to what may have caused this problem, I was trying to
    >amend our domain policy.
    >
    >We had originally amended the Default Domain Policy (not a good idea I
    >know now in hindsight), setting the password policy and lockout
    >policy. This was set to apply to users but not administrators.
    >
    >I then needed to set something specifically for admins but not users,
    >so I created a new Administrators policy, and set this for admins but
    >not users.
    >
    >Later in the day it was discovered our domain Administrator account
    >could not logon to a workstation, I panicked and started changing all
    >sorts of settings.
    >
    >I ran a command on our 2003 server which I found on a website (cant
    >remember the command now) which was suppose to revert back to the
    >default domain settings, however I was then unable to edit the policy.
    >A few random clicks later I was able to edit policy, but I still do
    >not know how to logon as my domain Administrator account. I have
    >logged out of the Win 2000 server because it crashed and I could not
    >log back in as Administrator. I am now scared to logout of the Win
    >2003 server because I will not get back in! I have made a copy of the
    >Administrator account which at least has allowed me to login to the
    >Win 2000 server, but this is not the built-in administrator account.
    >
    >I have not had a good day and any help would be appreciated. I will
    >try not to play in future!
    >
    >Thanks.
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    First off you can not have different password/account policy for users than
    administrators. There can only be one password policy for all domain users -
    no exceptions. Password policy is computer configuration which can not be
    filtered by users anyhow.

    If you are logged into a domain controller as an administrator use Active
    Directory Users and Computers to create a new user account and add that
    account to the domain admins group so that you can use it if need be to
    logon to the domain as an administrator. The description of your error
    sounds as is a wrong name or password is used to try and logon. When you
    logon to a domain computer [other than domain controller] make sure that you
    are logging onto the domain and not the local computer which may be why you
    were getting an error message. If the problem persists, try logging on using
    upn as in user1@mydomain.com in case you somehow changed your account
    pre-Windows 2000 logon name. --- Steve


    "Mart" <mvmobile@NOSPAMbtinternet.com> wrote in message
    news:41a5181b.2567271@news.btinternet.com...
    >
    > I have a Windows 2003 Server and a Windows 2000 Server which are
    > domain controllers. When trying to logon on any workstation or server
    > on the domain as Administrator (domain) I am getting a "check
    > password" error. I am using the correct password, and I have also
    > reset the password from the Domain Controller to double check.
    >
    > If I right-click on Administrator within the Users and Computers MMC
    > there is no option to unlock account.
    >
    > As a background to what may have caused this problem, I was trying to
    > amend our domain policy.
    >
    > We had originally amended the Default Domain Policy (not a good idea I
    > know now in hindsight), setting the password policy and lockout
    > policy. This was set to apply to users but not administrators.
    >
    > I then needed to set something specifically for admins but not users,
    > so I created a new Administrators policy, and set this for admins but
    > not users.
    >
    > Later in the day it was discovered our domain Administrator account
    > could not logon to a workstation, I panicked and started changing all
    > sorts of settings.
    >
    > I ran a command on our 2003 server which I found on a website (cant
    > remember the command now) which was suppose to revert back to the
    > default domain settings, however I was then unable to edit the policy.
    > A few random clicks later I was able to edit policy, but I still do
    > not know how to logon as my domain Administrator account. I have
    > logged out of the Win 2000 server because it crashed and I could not
    > log back in as Administrator. I am now scared to logout of the Win
    > 2003 server because I will not get back in! I have made a copy of the
    > Administrator account which at least has allowed me to login to the
    > Win 2000 server, but this is not the built-in administrator account.
    >
    > I have not had a good day and any help would be appreciated. I will
    > try not to play in future!
    >
    > Thanks.
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks both for your suggestions, I will try them as soon as I get in
    to work and report back.

    Yes the Administrator account was renamed - this was renamed at the
    time we installed our domain a few years ago and has not since
    changed.

    The user name and password for Administrator has not changed and I
    have reset the password but still get the incorrect user name/password
    error. So I think this may be a red herring.


    On Thu, 25 Nov 2004 01:16:28 GMT, "Steven L Umbach"
    <n9rou@n0-spam-for-me-comcast.net> wrote:

    >First off you can not have different password/account policy for users than
    >administrators. There can only be one password policy for all domain users -
    >no exceptions. Password policy is computer configuration which can not be
    >filtered by users anyhow.
    >
    >If you are logged into a domain controller as an administrator use Active
    >Directory Users and Computers to create a new user account and add that
    >account to the domain admins group so that you can use it if need be to
    >logon to the domain as an administrator. The description of your error
    >sounds as is a wrong name or password is used to try and logon. When you
    >logon to a domain computer [other than domain controller] make sure that you
    >are logging onto the domain and not the local computer which may be why you
    >were getting an error message. If the problem persists, try logging on using
    >upn as in user1@mydomain.com in case you somehow changed your account
    >pre-Windows 2000 logon name. --- Steve
    >
    >
    >"Mart" <mvmobile@NOSPAMbtinternet.com> wrote in message
    >news:41a5181b.2567271@news.btinternet.com...
    >>
    >> I have a Windows 2003 Server and a Windows 2000 Server which are
    >> domain controllers. When trying to logon on any workstation or server
    >> on the domain as Administrator (domain) I am getting a "check
    >> password" error. I am using the correct password, and I have also
    >> reset the password from the Domain Controller to double check.
    >>
    >> If I right-click on Administrator within the Users and Computers MMC
    >> there is no option to unlock account.
    >>
    >> As a background to what may have caused this problem, I was trying to
    >> amend our domain policy.
    >>
    >> We had originally amended the Default Domain Policy (not a good idea I
    >> know now in hindsight), setting the password policy and lockout
    >> policy. This was set to apply to users but not administrators.
    >>
    >> I then needed to set something specifically for admins but not users,
    >> so I created a new Administrators policy, and set this for admins but
    >> not users.
    >>
    >> Later in the day it was discovered our domain Administrator account
    >> could not logon to a workstation, I panicked and started changing all
    >> sorts of settings.
    >>
    >> I ran a command on our 2003 server which I found on a website (cant
    >> remember the command now) which was suppose to revert back to the
    >> default domain settings, however I was then unable to edit the policy.
    >> A few random clicks later I was able to edit policy, but I still do
    >> not know how to logon as my domain Administrator account. I have
    >> logged out of the Win 2000 server because it crashed and I could not
    >> log back in as Administrator. I am now scared to logout of the Win
    >> 2003 server because I will not get back in! I have made a copy of the
    >> Administrator account which at least has allowed me to login to the
    >> Win 2000 server, but this is not the built-in administrator account.
    >>
    >> I have not had a good day and any help would be appreciated. I will
    >> try not to play in future!
    >>
    >> Thanks.
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Steve,

    Just on another matter, it was not different password/account policies
    I wanted but different Internet Explorer proxy settings. Therefore I
    created a different policy which was set to appy to Admins. However
    it may be that this policy was set with a different password/lockout
    setting.

    Eg - I want users to use a proxy but not admins

    Thanks again
    On Thu, 25 Nov 2004 01:16:28 GMT, "Steven L Umbach"
    <n9rou@n0-spam-for-me-comcast.net> wrote:

    >First off you can not have different password/account policy for users than
    >administrators. There can only be one password policy for all domain users -
    >no exceptions. Password policy is computer configuration which can not be
    >filtered by users anyhow.
    >
    >If you are logged into a domain controller as an administrator use Active
    >Directory Users and Computers to create a new user account and add that
    >account to the domain admins group so that you can use it if need be to
    >logon to the domain as an administrator. The description of your error
    >sounds as is a wrong name or password is used to try and logon. When you
    >logon to a domain computer [other than domain controller] make sure that you
    >are logging onto the domain and not the local computer which may be why you
    >were getting an error message. If the problem persists, try logging on using
    >upn as in user1@mydomain.com in case you somehow changed your account
    >pre-Windows 2000 logon name. --- Steve
    >
    >
    >"Mart" <mvmobile@NOSPAMbtinternet.com> wrote in message
    >news:41a5181b.2567271@news.btinternet.com...
    >>
    >> I have a Windows 2003 Server and a Windows 2000 Server which are
    >> domain controllers. When trying to logon on any workstation or server
    >> on the domain as Administrator (domain) I am getting a "check
    >> password" error. I am using the correct password, and I have also
    >> reset the password from the Domain Controller to double check.
    >>
    >> If I right-click on Administrator within the Users and Computers MMC
    >> there is no option to unlock account.
    >>
    >> As a background to what may have caused this problem, I was trying to
    >> amend our domain policy.
    >>
    >> We had originally amended the Default Domain Policy (not a good idea I
    >> know now in hindsight), setting the password policy and lockout
    >> policy. This was set to apply to users but not administrators.
    >>
    >> I then needed to set something specifically for admins but not users,
    >> so I created a new Administrators policy, and set this for admins but
    >> not users.
    >>
    >> Later in the day it was discovered our domain Administrator account
    >> could not logon to a workstation, I panicked and started changing all
    >> sorts of settings.
    >>
    >> I ran a command on our 2003 server which I found on a website (cant
    >> remember the command now) which was suppose to revert back to the
    >> default domain settings, however I was then unable to edit the policy.
    >> A few random clicks later I was able to edit policy, but I still do
    >> not know how to logon as my domain Administrator account. I have
    >> logged out of the Win 2000 server because it crashed and I could not
    >> log back in as Administrator. I am now scared to logout of the Win
    >> 2003 server because I will not get back in! I have made a copy of the
    >> Administrator account which at least has allowed me to login to the
    >> Win 2000 server, but this is not the built-in administrator account.
    >>
    >> I have not had a good day and any help would be appreciated. I will
    >> try not to play in future!
    >>
    >> Thanks.
    >>
    >>
    >
    >
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    OK. Good luck. If the situation does not improve, see the link below on how
    to reset the built in administrator password with a free download utility. I
    have used it myself and it works well but it should be a last resort
    ption. --- Steve

    http://www.petri.co.il/forgot_administrator_password.htm

    "Mart" <mvmobile@NOSPAMbtinternet.com> wrote in message
    news:41a5725f.25675349@news.btinternet.com...
    > Thanks both for your suggestions, I will try them as soon as I get in
    > to work and report back.
    >
    > Yes the Administrator account was renamed - this was renamed at the
    > time we installed our domain a few years ago and has not since
    > changed.
    >
    > The user name and password for Administrator has not changed and I
    > have reset the password but still get the incorrect user name/password
    > error. So I think this may be a red herring.
    >
    >
    >
    > On Thu, 25 Nov 2004 01:16:28 GMT, "Steven L Umbach"
    > <n9rou@n0-spam-for-me-comcast.net> wrote:
    >
    >>First off you can not have different password/account policy for users
    >>than
    >>administrators. There can only be one password policy for all domain
    >>users -
    >>no exceptions. Password policy is computer configuration which can not be
    >>filtered by users anyhow.
    >>
    >>If you are logged into a domain controller as an administrator use Active
    >>Directory Users and Computers to create a new user account and add that
    >>account to the domain admins group so that you can use it if need be to
    >>logon to the domain as an administrator. The description of your error
    >>sounds as is a wrong name or password is used to try and logon. When you
    >>logon to a domain computer [other than domain controller] make sure that
    >>you
    >>are logging onto the domain and not the local computer which may be why
    >>you
    >>were getting an error message. If the problem persists, try logging on
    >>using
    >>upn as in user1@mydomain.com in case you somehow changed your account
    >>pre-Windows 2000 logon name. --- Steve
    >>
    >>
    >>"Mart" <mvmobile@NOSPAMbtinternet.com> wrote in message
    >>news:41a5181b.2567271@news.btinternet.com...
    >>>
    >>> I have a Windows 2003 Server and a Windows 2000 Server which are
    >>> domain controllers. When trying to logon on any workstation or server
    >>> on the domain as Administrator (domain) I am getting a "check
    >>> password" error. I am using the correct password, and I have also
    >>> reset the password from the Domain Controller to double check.
    >>>
    >>> If I right-click on Administrator within the Users and Computers MMC
    >>> there is no option to unlock account.
    >>>
    >>> As a background to what may have caused this problem, I was trying to
    >>> amend our domain policy.
    >>>
    >>> We had originally amended the Default Domain Policy (not a good idea I
    >>> know now in hindsight), setting the password policy and lockout
    >>> policy. This was set to apply to users but not administrators.
    >>>
    >>> I then needed to set something specifically for admins but not users,
    >>> so I created a new Administrators policy, and set this for admins but
    >>> not users.
    >>>
    >>> Later in the day it was discovered our domain Administrator account
    >>> could not logon to a workstation, I panicked and started changing all
    >>> sorts of settings.
    >>>
    >>> I ran a command on our 2003 server which I found on a website (cant
    >>> remember the command now) which was suppose to revert back to the
    >>> default domain settings, however I was then unable to edit the policy.
    >>> A few random clicks later I was able to edit policy, but I still do
    >>> not know how to logon as my domain Administrator account. I have
    >>> logged out of the Win 2000 server because it crashed and I could not
    >>> log back in as Administrator. I am now scared to logout of the Win
    >>> 2003 server because I will not get back in! I have made a copy of the
    >>> Administrator account which at least has allowed me to login to the
    >>> Win 2000 server, but this is not the built-in administrator account.
    >>>
    >>> I have not had a good day and any help would be appreciated. I will
    >>> try not to play in future!
    >>>
    >>> Thanks.
    >>>
    >>>
    >>
    >>
    >
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thank you both very much for your help. Although I think I may have
    initially misinterpreted your responses, I think this is now resolved.
    The administrator account had indeed been renamed within users and
    computers, via the policy. I manually renamed this back to what it
    should be, and disabled this part of the policy.

    Many thanks again because without your help I dont know how I would
    have solved this.

    Mart.
  7. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Excellent, glad you got it worked out. For future reference be sure you
    always make a backup of the System State on a domain controller before you
    make any changes to group or security policy as you can then always do an
    authoritative restore of Active Directory to set things back the way they
    were. However backing up the System State will not restore "local" policy
    changes which would require a full backup or Ghost type image. You would
    need to know the "local" built in administrator password however to restore
    Active Directory on a domain controller, so be sure you know that. The link
    below explains more and how to change it in case you do not know what it
    currently is.--- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;239803


    "Mart" <mvmobile@btinternet.com> wrote in message
    news:ndbbq0tmha2gp2t5f4ml7gdc4pnb9mi7u9@4ax.com...
    > Thank you both very much for your help. Although I think I may have
    > initially misinterpreted your responses, I think this is now resolved.
    > The administrator account had indeed been renamed within users and
    > computers, via the policy. I manually renamed this back to what it
    > should be, and disabled this part of the policy.
    >
    > Many thanks again because without your help I dont know how I would
    > have solved this.
    >
    > Mart.
    >
    >
Ask a new question

Read More

Policy Domain Windows Server 2003 Windows