How to recover the Admin password

This is an email I received with some useful information


First, shut down and reboot the machine so that you can gain access to the system's installation directory.  You can use a DOS disk to access a FAT partition's installation directory and NTFSDOS PRO (which is capable of writing to an NTFS partition) to access an NTFS partition's directory.  After you access the installation directory, rename the "logon.scr" as "logon.scr.bak", then copy "" to "logon.scr".  After you reboot the machine and wait about 15 minutes, the system will present you with a DOS prompt.  At this point, you have full administrator access.  Through the command prompt or User Manager, add a new administrator or change the administrator password, rename "logon.scr.back" to "logon.scr" and close the dos window.


One of the NT administrator's worst nightmares is a lost domain
administrator password. There is a widespread myth that it is
impossible to recover from this situation. Actually, it is not that
hard to recover from. You just have to install NT in a different
directory to gain access to the system. You can remove it later and
delete it from the boot.ini, but an emergency boot directory comes in
handy and I usually leave it there.

This process was tested on an NT 4.0 primary domain controller.

Shut the primary domain controller down and load the NT install disks.
If you cannot shut it down gracefully, unplug the network cable and
wait a few minutes before hitting the reset button, and make sure to
chkdsk /f the disks when you are done.

Boot from the NT installation disks. Perform a new install in a
different directory on the system drive. For example, if the existing
system is called C:\WINNT, install in C:\WINEMRG. Boot the system from
C:\WINEMRG. You now have access to your system disk. If necessary, use
an NT boot floppy to start up from C:\WINEMRG.

Copy SRVANY.EXE from the resource kit to C:\TEMP.

Run REGEDT32.EXE. Bring up the HKEY_LOCAL_MACHINE on Local Machine
window and highlight the root (HKEY_LOCAL_MACHINE.) Choose Registry/
Load Hive. In the File Name box, enter: (the ending period is required)
and click Open. At the Key Name prompt enter DomainSystem and click Ok.
Now write down the value of the key:
On my machine it was:

Change this key to C:\TEMP\SRVANY.EXE

Go to the key:
Create two values in the Parameters folder.

Name: Application
Type: REG_SZ

Name: AppParameters
Type: REG_SZ
Value: user Administrator newsecret

where "newsecret" is the domain administrator password you want to set.
You can choose any password.

Now shut the system down and reboot the domain controller. Wait a
minute after the CTRL-ALT-DEL prompt comes up, then logon as domain
administrator with the new password you set above.

Go into REGEDT32.EXE to undo your changes. Remove the values:

Change the value
back to the original you wrote down above. Stop and start the spooler
service to re-enable your printers.

How this process works

By reinstalling in a different directory, you gain access to your files
without destroying your domain controller. The Load Hive command allows you
to load a file into the registry and edit it. We use SRVANY to execute a
"net user" command to change the password when the system starts up. The
LocalSystem account, under which the spooler and most other services runs,
has the power to change a password on the local machine. As far as a domain
controller is concerned, domain accounts are local.

Mike Ingle - NT/Unix/VMS admin -

Backup one step