Last week, I received three email messages from readers asking how to recover lost Administrator passwords on their Windows 2000 and Windows NT systems. In each case, passwords were lost because of an employee's departure from the company—apparently, the employees didn't bother to provide the passwords before they left the firms. So why can't the companies simply call the employees to ask for the passwords? Didn't the companies have policies that require employees to return their access credentials (e.g., passwords, smart cards) upon resignation or termination? Apparently not, but you might want to consider implementing such a policy for your employees. It'll save you a lot of time and headaches.
If you configure your Win2K/NT network properly by establishing a good domain model and by applying adequate user policy and security procedures, you should rarely, if ever, become locked out of a given system. Minimally, you can use the Administrator group to your advantage with regard to establishing logon rights for a system.
However, if your domain security model and related policies have let you become locked out of a system, you have few software options to help you recover or reset a system's local Administrator password. Two of the most popular tools are L0phtCrack from L0pht Heavy Industries and Locksmith (formerly NTLocksmith) from Winternals Software.
Depending on your time constraints, one tool might be preferable to the other, but I suggest you keep both on hand because they operate differently: L0phtCrack actually cracks the Administrator passwords to reveal their current values, and Locksmith resets the passwords to whatever value you choose. Obviously, cracking a lost password with L0phtCrack takes longer than simply resetting the password with Locksmith, so Locksmith should be your choice if time is important. But don't discount L0phtCrack! When cracking passwords, L0phtCrack actually tests password strength: The longer it takes to crack a password, the stronger the password. You don't want weak passwords on your network.
In addition to its password-cracking abilities, L0phtCrack also captures LANMAN password hashes as they travel across the network. The capture ability helps you secure your network by identifying systems that still use LANMAN legacy authentication. Microsoft released NT LAN Managerv2 (NTLMv2) in Windows NT Service Pack 4 (SP4). NTLMv2 lets users disable LANMAN authentication on a given system. To learn about NTLMv2, be sure to read Randy Franklin Smith's article, "Inside SP4 NTLMv2 Security Enhancements" on our Web site.
Locksmith is the invention of Windows 2000 Magazine contributing editor Mark Russinovich, co-founder of Winternals Software. Locksmith works with Winternals' NTRecover tool to reset a system's Administrator password. To accomplish this task, you connect the inaccessible system to an accessible system (one which you can log on to) via serial cable, and on the inaccessible system boot NTRecover from a 3.5" disk. With NTRecover running on the inaccessible system, run Locksmith on the accessible system to communicate with NTRecover over the serial cable. NTRecover can read and write to a system's NTFS file system, including the registry, giving Locksmith its ability to reset a system's Administrator password. The process takes only a few minutes.
L0phtCrack costs $100, Locksmith costs $49, and NTRecover costs $189—paltry sums when compared to the cost of system downtime or easily cracked passwords. Consider adding these tools to your security toolkit—I've found them quite invaluable and I'm sure you will too. Until next time, have a great week!