Reset Windows Server Administrator Password

Using a Different System?

Are we missing a guide for your target system? Request one, or submit your own!

Introduction

Use a bootable rescue ISO if the Windows administrator account password is locked or forgotten. This tutorial is a step-by-step guide to unlock administrator on Windows Server with SystemRescue x64, a self-contained Linux ISO used for many maintenance and rescue tasks. This guide applies to:

Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019

1. Perform a Clean Shutdown

If possible, perform a clean Windows shutdown. When we mount the rescue ISO, you'll reboot the server through the customer portal. If Windows isn't already powered down, you may have issues mounting the disk later in SystemRescue.

2. Make a Backup

Before attempting any rescue, back up your VPS. Vultr offers manual snapshots and automated backups for VPS instances. If you do not have automatic backups enabled, make a manual snapshot. Attempting to rescue a server without a backup is reckless. There is no substitute for a sound backup strategy. You can create a server snapshot in a few clicks in the customer portal.

You are responsible to back up all your mission-critical data, following your local laws and organizational policies. Vultr does not maintain additional backups outside your customer portal.

3. Mount SystemRescue

Navigate to the Server Information page in the customer portal. Select Settings > Custom ISO. Select the SystemRescue ISO, then click Attach ISO and Reboot.

Attach ISO

The server will reboot from the ISO. Connect to the server with the web console to perform the rescue steps. It may take a few moments for you to be able to view your instance console while the server reboots.

BootSRCD

Select "Boot SystemRescue using default options" and press ENTER. Wait for the ISO to boot to a root prompt.

4. Mount the Windows Device

Locate the correct Windows device with fdisk. Look for the main Windows system device. Normally, this will be the NTFS type device with a similar size to the VPS disk. For this tutorial, use /dev/vda2, the 79.5 GB NTFS device.
```
# fdisk -l

Device     Boot   Start       End   Sectors  Size Id Type
/dev/vda1  *       2048   1126399   1124352  549M  7 HPFS/NTFS/exFAT
/dev/vda2       1126400 167770111 166643712 79.5G  7 HPFS/NTFS/exFAT
```
Make a mount point folder.
```
# mkdir /mnt/win
```

Attempt to mount the Windows system disk.

# mount /dev/vda2 /mnt/win

If mount succeeded, skip to the next section. Mount might encounter errors if the system wasn't shut down cleanly in step one.

The disk contains an unclean file system (0, 0).
Metadata kept in Windows cache, refused to mount.
Falling back to read-only mount because the NTFS 
partition is in an unsafe state. Please resume and
shutdown Windows fully (no hibernation or fast 
restarting.)

If mount encounters errors, as shown above, the Windows device will be mounted read-only. Before we can correct the error, unmount the drive.
```
# umount /dev/vda2
```
With the drive unmounted, run ntfsfix resolve the dirty shutdown error. Replace /dev/vda2 with your partition.
```
# ntfsfix /dev/vda2

...       
NTFS partition /dev/vda2 was processed successfully.
```
After ntfsfix completes, attempt to mount the device.
```
# mount /dev/vda2 /mnt/win
```

5. Unlock the Account

Navigate to the C:\Windows\System32\config folder, which is now mounted in SystemRescue under /mnt/win.
```
# cd /mnt/win/Windows/System32/config/
```

Launch chntpw in interactive mode, using the default Security Account Management (SAM) database.

# chntpw -i SAM

1 - Edit user data and passwords
2 - List groups
    - - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)

Enter 1 + ENTER to edit user passwords. A user list will appear.

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator                  | ADMIN  |          |
| 01f7 | DefaultAccount                 |        | dis/lock |
| 01f5 | Guest                          |        | dis/lock |
| 01f8 | WDAGUtilityAccount             |        | dis/lock |

Please enter user number (RID) or 0 to exit: [1f4]

Enter the RID number for the account you'd like to edit.

   - - - - User Edit Menu:
   1 - Clear (blank) user password
   (2 - Unlock and enable user account) [seems unlocked already]
   3 - Promote user (make user an administrator)
   4 - Add user to a group
   5 - Remove user from a group
   q - Quit editing user, back to user select
   Select: [q] > 1

Choose an option from the menu. For this tutorial, choose 1 to clear the password.
```
Password cleared!
```
Enter Q to exit the user menu.

Enter Q to exit chntpw.

Hives that have changed:
#  Name
0  <SAM>
Write hive files? (y/n) [n] : y

Enter Y to save the SAM hive.

6. Unmount the Windows Device

Change to the root directory.
```
# cd /
```
Unmount the Windows device.
```
# umount /dev/vda2
```

7. Remove ISO and Reboot

Navigate to the Server Information page in the Customer Portal.
Click Settings.
Click Custom ISO.
Click the large Remove ISO button, which will spawn a popup.
To confirm removal and reboot the VPS, click the Remove ISO button on the popup.

Remove ISO

8. Login and Set a Strong Password.

You must log in to the server through the web console to set a new password. Remote Desktop Protocol (RDP) does not allow login with blank passwords.

Log in with your username, and leave the password field empty. The password reset procedure with SystemRescue completely removes the password.
Click the Send CtrlAltDel button, located in the upper-right of the web console.
Enter a new, strong password for your user account in Windows.

Conclusion

With the password reset, you can resume using Windows as usual.

Want to contribute?

You could earn up to $600 by adding new articles.

Submit your article Request an article

Article