This is an email I received with some useful information
METHOD 1
First, shut down and reboot the machine so that you can gain access to the system's installation directory. You can use a DOS disk to access a FAT partition's installation directory and NTFSDOS PRO (which is capable of writing to an NTFS partition) to access an NTFS partition's directory. After you access the installation directory, rename the "logon.scr" as "logon.scr.bak", then copy "command.com" to "logon.scr". After you reboot the machine and wait about 15 minutes, the system will present you with a DOS prompt. At this point, you have full administrator access. Through the command prompt or User Manager, add a new administrator or change the administrator password, rename "logon.scr.back" to "logon.scr" and close the dos window.
METHOD 2
One of the NT administrator's worst nightmares is a lost
domain
administrator password. There is a widespread myth that it is
impossible to recover from this situation. Actually, it is not
that
hard to recover from. You just have to install NT in a different
directory to gain access to the system. You can remove it later
and
delete it from the boot.ini, but an emergency boot directory
comes in
handy and I usually leave it there.
This process was tested on an NT 4.0 primary domain controller.
Shut the primary domain controller down and load the NT install
disks.
If you cannot shut it down gracefully, unplug the network cable
and
wait a few minutes before hitting the reset button, and make sure
to
chkdsk /f the disks when you are done.
Boot from the NT installation disks. Perform a new install in a
different directory on the system drive. For example, if the
existing
system is called C:\WINNT, install in C:\WINEMRG. Boot the system
from
C:\WINEMRG. You now have access to your system disk. If
necessary, use
an NT boot floppy to start up from C:\WINEMRG.
Copy SRVANY.EXE from the resource kit to C:\TEMP.
Run REGEDT32.EXE. Bring up the HKEY_LOCAL_MACHINE on Local
Machine
window and highlight the root (HKEY_LOCAL_MACHINE.) Choose
Registry/
Load Hive. In the File Name box, enter: (the ending period is
required)
C:\WINNT\SYSTEM32\CONFIG\SYSTEM.
and click Open. At the Key Name prompt enter DomainSystem and
click Ok.
Now write down the value of the key:
HKEY_LOCAL_MACHINE\DomainSystem\ControlSet001\Services\Spooler\ImagePath
On my machine it was:
%SystemRoot%\system32\spoolss.exe
Change this key to C:\TEMP\SRVANY.EXE
Go to the key:
HKEY_LOCAL_MACHINE\DomainSystem\ControlSet001\Services\Spooler\Parameters
Create two values in the Parameters folder.
Name: Application
Type: REG_SZ
Value: C:\WINNT\SYSTEM32\NET.EXE
Name: AppParameters
Type: REG_SZ
Value: user Administrator newsecret
where "newsecret" is the domain administrator password
you want to set.
You can choose any password.
Now shut the system down and reboot the domain controller. Wait a
minute after the CTRL-ALT-DEL prompt comes up, then logon as
domain
administrator with the new password you set above.
Go into REGEDT32.EXE to undo your changes. Remove the values:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\
Parameters\Application
and
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\
Parameters\AppParameters
Change the value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\ImagePath
back to the original you wrote down above. Stop and start the
spooler
service to re-enable your printers.
How this process works
======================
By reinstalling in a different directory, you gain access to your
files
without destroying your domain controller. The Load Hive command
allows you
to load a file into the registry and edit it. We use SRVANY to
execute a
"net user" command to change the password when the
system starts up. The
LocalSystem account, under which the spooler and most other
services runs,
has the power to change a password on the local machine. As far
as a domain
controller is concerned, domain accounts are local.
Mike Ingle - NT/Unix/VMS admin - inglem@adnetsol.com