Administrator gets locked out

Archived from groups: microsoft.public.win2000.security (More info?)

I have a Win2000 Pro machine that is allowing the administrator account to
be locked out. I thought that with Win2000, XP, 2003 the administrator
account couldn't be locked out. This comes from MS tech articles. The
user, I guess typed the password incorrect too many times and now we are
unable to login with the administrator account. There are only two accounts
on the system. Administrator and Guest.

How do I unlock or enable the administrator account? I don't mean I do I
recover a password, but how do I disable the account locked out flag that
must be set in the user?

Thanks.
9 answers Last reply
More about administrator locked
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    "Ed Gregory" <eg@hotmail.com> wrote in message
    news:#PtdOMa7EHA.128@TK2MSFTNGP15.phx.gbl...
    > I have a Win2000 Pro machine that is allowing the administrator account to
    > be locked out. I thought that with Win2000, XP, 2003 the administrator
    > account couldn't be locked out. This comes from MS tech articles. The
    > user, I guess typed the password incorrect too many times and now we are
    > unable to login with the administrator account. There are only two
    accounts
    > on the system. Administrator and Guest.

    Well, most of us think that it cannot be locked.

    Is it possible something CHANGED the password?

    > How do I unlock or enable the administrator account? I don't mean I do I
    > recover a password, but how do I disable the account locked out flag that
    > must be set in the user?

    You are basically stuck with trying to hack your own
    SAM.

    Googling the obvious (or someone will post a link)
    will get you help on cracking your own SAM...

    Something like (untested): [ "lost password" microsoft: ]

    That last term "microsoft:" (with colon) is a Google keyword
    for their special web-wide "Microsoft collection".

    --
    Herb Martin


    >
    > Thanks.
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    My understanding is that the built-in administrator account cannot be
    locked out at the console, but can be made to follow lockout policies
    for logon attempts over the network. Is this account in fact locked
    out at the console?

    What's the status of the guest account? It used to be recommended to
    rename the administrator account for increase security (very little
    benefit).

    What's the access to the machine? Could the admin account have been
    renamed to something different and a decoy non-admin account given the
    name of administrator. In fact, can the guest account be renamed to
    administrator (and administrator to guest). Check the status of the
    guest account.

    The SIDs will tell which is which.

    Roger

    "Ed Gregory" <eg@hotmail.com> wrote:

    >I have a Win2000 Pro machine that is allowing the administrator account to
    >be locked out. I thought that with Win2000, XP, 2003 the administrator
    >account couldn't be locked out. This comes from MS tech articles. The
    >user, I guess typed the password incorrect too many times and now we are
    >unable to login with the administrator account. There are only two accounts
    >on the system. Administrator and Guest.
    >
    >How do I unlock or enable the administrator account? I don't mean I do I
    >recover a password, but how do I disable the account locked out flag that
    >must be set in the user?
    >
    >Thanks.
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    <somebody@compusmart.ab.ca> wrote in message
    news:7qs9t09bg0sm91pc83q6bbid0e1b185t0k@4ax.com...
    > My understanding is that the built-in administrator account cannot be
    > locked out at the console, but can be made to follow lockout policies
    > for logon attempts over the network. Is this account in fact locked
    > out at the console?

    Perhaps he meant network.

    It makes no sense (even) to allow lockout from the
    console since this could be a denial of service attack
    against the admin with no supported way to reset it.


    --
    Herb Martin


    >
    > What's the status of the guest account? It used to be recommended to
    > rename the administrator account for increase security (very little
    > benefit).
    >
    > What's the access to the machine? Could the admin account have been
    > renamed to something different and a decoy non-admin account given the
    > name of administrator. In fact, can the guest account be renamed to
    > administrator (and administrator to guest). Check the status of the
    > guest account.
    >
    > The SIDs will tell which is which.
    >
    > Roger
    >
    > "Ed Gregory" <eg@hotmail.com> wrote:
    >
    > >I have a Win2000 Pro machine that is allowing the administrator account
    to
    > >be locked out. I thought that with Win2000, XP, 2003 the administrator
    > >account couldn't be locked out. This comes from MS tech articles. The
    > >user, I guess typed the password incorrect too many times and now we are
    > >unable to login with the administrator account. There are only two
    accounts
    > >on the system. Administrator and Guest.
    > >
    > >How do I unlock or enable the administrator account? I don't mean I do I
    > >recover a password, but how do I disable the account locked out flag that
    > >must be set in the user?
    > >
    > >Thanks.
    > >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    My understanding agrees with what you two have expressed.
    I have however seen before a couple times systems (granted,
    all XP) where the built-in had indeed become locked out (not
    disabled) and best we could tell it had been by some malware.

    --
    Roger Abell

    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:un$5Pyw7EHA.4072@TK2MSFTNGP10.phx.gbl...
    > <somebody@compusmart.ab.ca> wrote in message
    > news:7qs9t09bg0sm91pc83q6bbid0e1b185t0k@4ax.com...
    > > My understanding is that the built-in administrator account cannot be
    > > locked out at the console, but can be made to follow lockout policies
    > > for logon attempts over the network. Is this account in fact locked
    > > out at the console?
    >
    > Perhaps he meant network.
    >
    > It makes no sense (even) to allow lockout from the
    > console since this could be a denial of service attack
    > against the admin with no supported way to reset it.
    >
    >
    > --
    > Herb Martin
    >
    >
    > >
    > > What's the status of the guest account? It used to be recommended to
    > > rename the administrator account for increase security (very little
    > > benefit).
    > >
    > > What's the access to the machine? Could the admin account have been
    > > renamed to something different and a decoy non-admin account given the
    > > name of administrator. In fact, can the guest account be renamed to
    > > administrator (and administrator to guest). Check the status of the
    > > guest account.
    > >
    > > The SIDs will tell which is which.
    > >
    > > Roger
    > >
    > > "Ed Gregory" <eg@hotmail.com> wrote:
    > >
    > > >I have a Win2000 Pro machine that is allowing the administrator account
    > to
    > > >be locked out. I thought that with Win2000, XP, 2003 the administrator
    > > >account couldn't be locked out. This comes from MS tech articles. The
    > > >user, I guess typed the password incorrect too many times and now we
    are
    > > >unable to login with the administrator account. There are only two
    > accounts
    > > >on the system. Administrator and Guest.
    > > >
    > > >How do I unlock or enable the administrator account? I don't mean I do
    I
    > > >recover a password, but how do I disable the account locked out flag
    that
    > > >must be set in the user?
    > > >
    > > >Thanks.
    > > >
    > >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    You might want to take a look at ...
    http://www.jsiinc.com/SUBE/tip2000/rh2077.htm -or -
    http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Security/Enforcestrongpasswords.html

    --
    Bob McCoy
    * This posting is provided "AS IS" with no warranties, and confers no
    rights.
    * Please note I cannot respond to email questions. Please use these
    newsgroups.

    "Ed Gregory" <eg@hotmail.com> wrote in message
    news:%23PtdOMa7EHA.128@TK2MSFTNGP15.phx.gbl...
    >I have a Win2000 Pro machine that is allowing the administrator account to
    >be locked out. I thought that with Win2000, XP, 2003 the administrator
    >account couldn't be locked out. This comes from MS tech articles. The
    >user, I guess typed the password incorrect too many times and now we are
    >unable to login with the administrator account. There are only two
    >accounts on the system. Administrator and Guest.
    >
    > How do I unlock or enable the administrator account? I don't mean I do I
    > recover a password, but how do I disable the account locked out flag that
    > must be set in the user?
    >
    > Thanks.
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Scary?? Did you have to reinstall assuming a non domain computer?? ---
    Steve


    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:erCUQb17EHA.2452@TK2MSFTNGP14.phx.gbl...
    > My understanding agrees with what you two have expressed.
    > I have however seen before a couple times systems (granted,
    > all XP) where the built-in had indeed become locked out (not
    > disabled) and best we could tell it had been by some malware.
    >
    > --
    > Roger Abell
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:un$5Pyw7EHA.4072@TK2MSFTNGP10.phx.gbl...
    >> <somebody@compusmart.ab.ca> wrote in message
    >> news:7qs9t09bg0sm91pc83q6bbid0e1b185t0k@4ax.com...
    >> > My understanding is that the built-in administrator account cannot be
    >> > locked out at the console, but can be made to follow lockout policies
    >> > for logon attempts over the network. Is this account in fact locked
    >> > out at the console?
    >>
    >> Perhaps he meant network.
    >>
    >> It makes no sense (even) to allow lockout from the
    >> console since this could be a denial of service attack
    >> against the admin with no supported way to reset it.
    >>
    >>
    >> --
    >> Herb Martin
    >>
    >>
    >> >
    >> > What's the status of the guest account? It used to be recommended to
    >> > rename the administrator account for increase security (very little
    >> > benefit).
    >> >
    >> > What's the access to the machine? Could the admin account have been
    >> > renamed to something different and a decoy non-admin account given the
    >> > name of administrator. In fact, can the guest account be renamed to
    >> > administrator (and administrator to guest). Check the status of the
    >> > guest account.
    >> >
    >> > The SIDs will tell which is which.
    >> >
    >> > Roger
    >> >
    >> > "Ed Gregory" <eg@hotmail.com> wrote:
    >> >
    >> > >I have a Win2000 Pro machine that is allowing the administrator
    >> > >account
    >> to
    >> > >be locked out. I thought that with Win2000, XP, 2003 the
    >> > >administrator
    >> > >account couldn't be locked out. This comes from MS tech articles.
    >> > >The
    >> > >user, I guess typed the password incorrect too many times and now we
    > are
    >> > >unable to login with the administrator account. There are only two
    >> accounts
    >> > >on the system. Administrator and Guest.
    >> > >
    >> > >How do I unlock or enable the administrator account? I don't mean I
    >> > >do
    > I
    >> > >recover a password, but how do I disable the account locked out flag
    > that
    >> > >must be set in the user?
    >> > >
    >> > >Thanks.
    >> > >
    >> >
    >>
    >>
    >
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    They pretty much accepted the advice that
    a compromised system is a compromised system
    perhaps always will be --> format + build
    Those systems did not come up clean to industry
    anti-malware scans.
    --
    Roger
    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:3ogBd.594640$wV.566044@attbi_s54...
    > Scary?? Did you have to reinstall assuming a non domain computer?? ---
    > Steve
    >
    >
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:erCUQb17EHA.2452@TK2MSFTNGP14.phx.gbl...
    > > My understanding agrees with what you two have expressed.
    > > I have however seen before a couple times systems (granted,
    > > all XP) where the built-in had indeed become locked out (not
    > > disabled) and best we could tell it had been by some malware.
    > >
    > > --
    > > Roger Abell
    > >
    > > "Herb Martin" <news@LearnQuick.com> wrote in message
    > > news:un$5Pyw7EHA.4072@TK2MSFTNGP10.phx.gbl...
    > >> <somebody@compusmart.ab.ca> wrote in message
    > >> news:7qs9t09bg0sm91pc83q6bbid0e1b185t0k@4ax.com...
    > >> > My understanding is that the built-in administrator account cannot be
    > >> > locked out at the console, but can be made to follow lockout policies
    > >> > for logon attempts over the network. Is this account in fact locked
    > >> > out at the console?
    > >>
    > >> Perhaps he meant network.
    > >>
    > >> It makes no sense (even) to allow lockout from the
    > >> console since this could be a denial of service attack
    > >> against the admin with no supported way to reset it.
    > >>
    > >>
    > >> --
    > >> Herb Martin
    > >>
    > >>
    > >> >
    > >> > What's the status of the guest account? It used to be recommended to
    > >> > rename the administrator account for increase security (very little
    > >> > benefit).
    > >> >
    > >> > What's the access to the machine? Could the admin account have been
    > >> > renamed to something different and a decoy non-admin account given
    the
    > >> > name of administrator. In fact, can the guest account be renamed to
    > >> > administrator (and administrator to guest). Check the status of the
    > >> > guest account.
    > >> >
    > >> > The SIDs will tell which is which.
    > >> >
    > >> > Roger
    > >> >
    > >> > "Ed Gregory" <eg@hotmail.com> wrote:
    > >> >
    > >> > >I have a Win2000 Pro machine that is allowing the administrator
    > >> > >account
    > >> to
    > >> > >be locked out. I thought that with Win2000, XP, 2003 the
    > >> > >administrator
    > >> > >account couldn't be locked out. This comes from MS tech articles.
    > >> > >The
    > >> > >user, I guess typed the password incorrect too many times and now we
    > > are
    > >> > >unable to login with the administrator account. There are only two
    > >> accounts
    > >> > >on the system. Administrator and Guest.
    > >> > >
    > >> > >How do I unlock or enable the administrator account? I don't mean I
    > >> > >do
    > > I
    > >> > >recover a password, but how do I disable the account locked out flag
    > > that
    > >> > >must be set in the user?
    > >> > >
    > >> > >Thanks.
    > >> > >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    OK. I was not sure if malware had been detected or if it was assumed. That
    free password reset disk that is common on the internet will enumerate the
    user accounts on a computer and show if an account is locked out/disabled. A
    renamed built in administrator account will show as the new name but the ID
    01F4 by a user name will indicate the built in administrator account which
    may help someone if they are unsure which account is the built in
    administrator account. I have found that going to the \winnt\repair folder
    and copying the sam and security file to \winnt\system32\config folder
    [after backing up/renaming the old] while not running in the operating
    system that you are copying the sam/security file to can return the sam to
    the state of an account not being locked out. Of course if the System State
    has never been backed up that sam will only contain the built in
    administrator account [with original password] and the guest account but it
    could possibly be a way to "unlock" the administrator account, though I
    certainly am not suggesting that is a better solution than rebuilding a
    compromised computer. --- Steve


    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:%23IgWJI47EHA.1408@TK2MSFTNGP10.phx.gbl...
    > They pretty much accepted the advice that
    > a compromised system is a compromised system
    > perhaps always will be --> format + build
    > Those systems did not come up clean to industry
    > anti-malware scans.
    > --
    > Roger
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:3ogBd.594640$wV.566044@attbi_s54...
    >> Scary?? Did you have to reinstall assuming a non domain computer?? ---
    >> Steve
    >>
    >>
    >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    >> news:erCUQb17EHA.2452@TK2MSFTNGP14.phx.gbl...
    >> > My understanding agrees with what you two have expressed.
    >> > I have however seen before a couple times systems (granted,
    >> > all XP) where the built-in had indeed become locked out (not
    >> > disabled) and best we could tell it had been by some malware.
    >> >
    >> > --
    >> > Roger Abell
    >> >
    >> > "Herb Martin" <news@LearnQuick.com> wrote in message
    >> > news:un$5Pyw7EHA.4072@TK2MSFTNGP10.phx.gbl...
    >> >> <somebody@compusmart.ab.ca> wrote in message
    >> >> news:7qs9t09bg0sm91pc83q6bbid0e1b185t0k@4ax.com...
    >> >> > My understanding is that the built-in administrator account cannot
    >> >> > be
    >> >> > locked out at the console, but can be made to follow lockout
    >> >> > policies
    >> >> > for logon attempts over the network. Is this account in fact locked
    >> >> > out at the console?
    >> >>
    >> >> Perhaps he meant network.
    >> >>
    >> >> It makes no sense (even) to allow lockout from the
    >> >> console since this could be a denial of service attack
    >> >> against the admin with no supported way to reset it.
    >> >>
    >> >>
    >> >> --
    >> >> Herb Martin
    >> >>
    >> >>
    >> >> >
    >> >> > What's the status of the guest account? It used to be recommended
    >> >> > to
    >> >> > rename the administrator account for increase security (very little
    >> >> > benefit).
    >> >> >
    >> >> > What's the access to the machine? Could the admin account have been
    >> >> > renamed to something different and a decoy non-admin account given
    > the
    >> >> > name of administrator. In fact, can the guest account be renamed to
    >> >> > administrator (and administrator to guest). Check the status of
    >> >> > the
    >> >> > guest account.
    >> >> >
    >> >> > The SIDs will tell which is which.
    >> >> >
    >> >> > Roger
    >> >> >
    >> >> > "Ed Gregory" <eg@hotmail.com> wrote:
    >> >> >
    >> >> > >I have a Win2000 Pro machine that is allowing the administrator
    >> >> > >account
    >> >> to
    >> >> > >be locked out. I thought that with Win2000, XP, 2003 the
    >> >> > >administrator
    >> >> > >account couldn't be locked out. This comes from MS tech articles.
    >> >> > >The
    >> >> > >user, I guess typed the password incorrect too many times and now
    >> >> > >we
    >> > are
    >> >> > >unable to login with the administrator account. There are only two
    >> >> accounts
    >> >> > >on the system. Administrator and Guest.
    >> >> > >
    >> >> > >How do I unlock or enable the administrator account? I don't mean
    >> >> > >I
    >> >> > >do
    >> > I
    >> >> > >recover a password, but how do I disable the account locked out
    >> >> > >flag
    >> > that
    >> >> > >must be set in the user?
    >> >> > >
    >> >> > >Thanks.
    >> >> > >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >
    >
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    Right on, on the use of the reg copies in Repair dir,
    as the copy into active use is precisely part of a ERD
    repair, or OS CD boot to repair, and does reset box
    to point of last System State bkup.
    I have to assume that the binaries are coded to protect
    against the built-in from having its bits set to disabled,
    but the bits are there and if set are obeyed by the other
    binaries (IOW, the binary protect against setting rather
    than against enforcement) - - - just speculation.

    --
    Roger
    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:1HtBd.52891$k25.29610@attbi_s53...
    > OK. I was not sure if malware had been detected or if it was assumed. That
    > free password reset disk that is common on the internet will enumerate the
    > user accounts on a computer and show if an account is locked out/disabled.
    A
    > renamed built in administrator account will show as the new name but the
    ID
    > 01F4 by a user name will indicate the built in administrator account which
    > may help someone if they are unsure which account is the built in
    > administrator account. I have found that going to the \winnt\repair folder
    > and copying the sam and security file to \winnt\system32\config folder
    > [after backing up/renaming the old] while not running in the operating
    > system that you are copying the sam/security file to can return the sam to
    > the state of an account not being locked out. Of course if the System
    State
    > has never been backed up that sam will only contain the built in
    > administrator account [with original password] and the guest account but
    it
    > could possibly be a way to "unlock" the administrator account, though I
    > certainly am not suggesting that is a better solution than rebuilding a
    > compromised computer. --- Steve
    >
    >
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:%23IgWJI47EHA.1408@TK2MSFTNGP10.phx.gbl...
    > > They pretty much accepted the advice that
    > > a compromised system is a compromised system
    > > perhaps always will be --> format + build
    > > Those systems did not come up clean to industry
    > > anti-malware scans.
    > > --
    > > Roger
    > > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > > news:3ogBd.594640$wV.566044@attbi_s54...
    > >> Scary?? Did you have to reinstall assuming a non domain computer?? ---
    > >> Steve
    > >>
    > >>
    > >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > >> news:erCUQb17EHA.2452@TK2MSFTNGP14.phx.gbl...
    > >> > My understanding agrees with what you two have expressed.
    > >> > I have however seen before a couple times systems (granted,
    > >> > all XP) where the built-in had indeed become locked out (not
    > >> > disabled) and best we could tell it had been by some malware.
    > >> >
    > >> > --
    > >> > Roger Abell
    > >> >
    > >> > "Herb Martin" <news@LearnQuick.com> wrote in message
    > >> > news:un$5Pyw7EHA.4072@TK2MSFTNGP10.phx.gbl...
    > >> >> <somebody@compusmart.ab.ca> wrote in message
    > >> >> news:7qs9t09bg0sm91pc83q6bbid0e1b185t0k@4ax.com...
    > >> >> > My understanding is that the built-in administrator account cannot
    > >> >> > be
    > >> >> > locked out at the console, but can be made to follow lockout
    > >> >> > policies
    > >> >> > for logon attempts over the network. Is this account in fact
    locked
    > >> >> > out at the console?
    > >> >>
    > >> >> Perhaps he meant network.
    > >> >>
    > >> >> It makes no sense (even) to allow lockout from the
    > >> >> console since this could be a denial of service attack
    > >> >> against the admin with no supported way to reset it.
    > >> >>
    > >> >>
    > >> >> --
    > >> >> Herb Martin
    > >> >>
    > >> >>
    > >> >> >
    > >> >> > What's the status of the guest account? It used to be recommended
    > >> >> > to
    > >> >> > rename the administrator account for increase security (very
    little
    > >> >> > benefit).
    > >> >> >
    > >> >> > What's the access to the machine? Could the admin account have
    been
    > >> >> > renamed to something different and a decoy non-admin account given
    > > the
    > >> >> > name of administrator. In fact, can the guest account be renamed
    to
    > >> >> > administrator (and administrator to guest). Check the status of
    > >> >> > the
    > >> >> > guest account.
    > >> >> >
    > >> >> > The SIDs will tell which is which.
    > >> >> >
    > >> >> > Roger
    > >> >> >
    > >> >> > "Ed Gregory" <eg@hotmail.com> wrote:
    > >> >> >
    > >> >> > >I have a Win2000 Pro machine that is allowing the administrator
    > >> >> > >account
    > >> >> to
    > >> >> > >be locked out. I thought that with Win2000, XP, 2003 the
    > >> >> > >administrator
    > >> >> > >account couldn't be locked out. This comes from MS tech
    articles.
    > >> >> > >The
    > >> >> > >user, I guess typed the password incorrect too many times and now
    > >> >> > >we
    > >> > are
    > >> >> > >unable to login with the administrator account. There are only
    two
    > >> >> accounts
    > >> >> > >on the system. Administrator and Guest.
    > >> >> > >
    > >> >> > >How do I unlock or enable the administrator account? I don't
    mean
    > >> >> > >I
    > >> >> > >do
    > >> > I
    > >> >> > >recover a password, but how do I disable the account locked out
    > >> >> > >flag
    > >> > that
    > >> >> > >must be set in the user?
    > >> >> > >
    > >> >> > >Thanks.
    > >> >> > >
    > >> >> >
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >
Ask a new question

Read More

Microsoft Windows