Microsoft Active DIrectory : 9 best tools to reset passwords
/!\ This is for educational purposes only, and should not be used for unauthorized access, tampering or accessed illegally without owner permission.
Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.
These 9 tools will help you to reset the password - or hashes - of almost all Microsoft Active Directory domains.
The famous Offline Windows Password & Registry Editor supports all Windows from NT 3.5 to Win10, 32 or 64bits and the Server versions 2003+.
Official Windows DVD
For Server 2008, enjoy http://www.youtube.com/watch?v=Ar-VoO9ogHc
The tool RADPass is an offline Active Directory password remover.
How to use:
- Reboot a domain controller in Directory Restore mode. - Backup NTDS.DIT. - Run RADPass. - Delete all LOG, EDB and CHK files from the %SYSTEMROOT%\NTDS folder. If you used the %SYSTEMROOT%\NTDS folder as your temporary folder then the tool cleaned up all these files for you. - Perform an authoritative restore of the AD database if you have multiple domain controllers. This will replicate the change to the other controllers. - Reboot the server. You should be able to login without a password for the target username.
The tool SHEdit is an offline editor for the SID History Active Directory attribute. This tool goes around the limitation built into the DsAddSidHistory API allowing an administrator in any domain to access any other domains in the forest as any user.
How to use:
- Get the SID for a user in the target domain. - Reboot a domain controller in Directory Restore mode. - Backup NTDS.DIT (optional but recommended). - Run SHEdit. - Delete all LOG, EDB and CHK files from the %SYSTEMROOT%\NTDS folder. If you used the %SYSTEMROOT%\NTDS folder as your temporary folder then the tool cleaned up all these files for you. - Perform an authoritative restore of the AD database if you have multiple domain controllers. This will replicate the change to the other controllers. - Reboot the server. You should have the desired access on the target domain. - Use the ClearSIDHistory.vbs script to delete the SID History attribute.
The tool RevDump is a tool to dump password stored using reversible encryption, which applies to Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2.
ESE db viewer
ESEdbViewer / Extensible Storage Engine (ESE) is one of the least known and yet most widely distributed database engines (on Windows). ESE is also known as JET Blue, is an Indexed Sequential Access Method (ISAM) data storage technology from Microsoft.
ESE is notably a core of Microsoft Exchange Server and Active Directory. Its purpose is to allow applications to store and retrieve data via indexed and sequential access. Windows Mail and Desktop Search on Windows Vista also make use of ESE to store indexes and property information respectively.
The tool Libesedb ia a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
The libesedb package contains the following tools:
- esedbexport, which exports the items stored in ESE database files.
- esedbinfo, which shows the information about ESE database files.
fgdump / pwdump6
! Not Antivirus friendy !
The tool fgdump (doc & usage) or pwdump6 can dump Windows Server 2000 and 2003 Active Directory.
Bulk Password Control
The tool Bulk Password Control is a tool to allow you to reset passwords for large numbers of Active Directory user accounts. Using the password generator, a different password can be used for each user account or you can choose to use the same password for all user accounts. Bulk Password Control can also be used to enable/disable and unlock user accounts. If the additional Bulk Modify tool is installed you can also use Bulk Password Control to modify additional user attributes.
Some links to go further:
- http://www.jms1.net/nt-unlock.shtml : reset the Domain Admin Password under Windows NT/2000 Server.
- http://www.nobodix.org/seb/win2003_adminpass.html : reset the Domain Admin Password under Windows 2003 Server.