How to Change the Admin Password on Windows Server

Objective

When you install or reinstall a Windows operating system, you are provided with a password for administrative access. We strongly recommend that you change this initial password. In case you have lost your admin password, it needs to be reset using rescue mode.

This guide will take you through the process of changing your server’s admin password via the available rescue mode configurations for a Windows OS.

Requirements

• a dedicated server with Windows installed in your OVHcloud account
• access to the OVHcloud Control Panel

Topics

• WinRescue
• Rescue Mode

Instructions

The following steps describe the process of changing the local admin password by using Windows PE (WinRescue). Click the "Rescue Mode" link above if you would like to use the OVHcloud Rescue Mode kernel instead.

Resetting the Admin Password Using WinRescue

Step 1: Rebooting the server into rescue mode

The system has to be started in rescue mode before the admin password can be changed. Log in to the OVHcloud Control Panel, go to the Bare Metal Cloud section and select your server from the list in the left-hand navigation under Dedicated Servers.

The netboot needs to be switched to “WinRescue (Rescue System for Windows)”. Look for “Boot” in the General informations box and click on ..., then on Edit. On the ensuing screen, tick Boot in rescue mode and select “WinRescue” from the menu. Specify an email address below if the login credentials should not be sent to your customer account’s primary address. Click on Next and Confirm.

Once the change is completed, click on ... next to “Status” in the box labelled Service status. Select Reboot and the server will restart into rescue mode. This might take a few minutes; you can check the status on the Tasks tab. An email will be sent which contains some information and the login password for the rescue mode’s “root” user.

For more information about rescue mode, please refer to this guide.

Step 2: Clearing the current password

In your OVHcloud Control Panel, navigate to the IPMI tab to open a KVM session.

To reset passwords, the tool NTPWEdit is required. Once you are connected via KVM, open the browser and download it from the official website using the Mozilla ULight browser in WinRescue.

Download the ntpwed07.zip file. Navigate to the folder where the downloaded ZIP file is located and extract the contents. Next, open the ntpwedit64 executable to start the application. Click Open to find the user files.

In this interface, you can manipulate the SAM file in order to clear the admin user’s password. The default file path in the WINDOWS directory is pre-filled. Open the file to display the list of users by clicking on Open.

The relevant user will either be “admin” or “Administrator”, depending on the Windows version. If both are present, choose “admin”. Then click on Change password.

In the popup window, leave the fields blank and click OK. Finish by clicking on Save changes and Exit.

Note: If you experience issues setting your password in the next section, you can try setting it in NTPWEdit instead.

After this, the server needs to be rebooted again.

Step 3: Rebooting the server

First, change the netboot back to Boot from the hard disk in your OVHcloud Control Panel (see step 1).

Back in the KVM window, select the shutdown option Restart via the Windows “Start” button on the bottom left.

Step 4: Setting a new password (IPMI)

In your OVHcloud Control Panel, navigate to the IPMI tab to open a KVM session.

Step 4.1: For a newer version of Windows

Once you have accessed your server through IPMI, click the hourglass on the bottom-left. Begin to type "Sign-in options" and click on Sign-in options once it pops up.

Next, click the Add button under "Password" to set your new password.

Step 4.2: For an older version of Windows

A command line window (cmd) should open when the KVM session is established.

Set the password for the current user (“Administrator”):

net user Administrator *

Resetting the Admin Password Using Rescue Mode

Step 1: Rebooting the server into rescue mode

The system has to be started in rescue mode before the admin password can be changed. Log in to the OVHcloud Control Panel, go to the Bare Metal Cloud section and select your server from the list in the left-hand navigation under Dedicated Servers.

The netboot needs to be switched to “rescue64-pro (Customer rescue system (Linux))”. Look for “Boot” in the General informations box and click on ..., then on Edit.
On the ensuing screen, tick Boot in rescue mode and select “rescue64-pro” from the menu. Specify an alternative email address below if you do not want the login credentials sent to your customer account’s primary address.
Click on Next and Confirm.

Once the change is completed, click on ... next to “Status” in the box labelled Service status. Select Restart and the server will restart into rescue mode.
This might take a few minutes; you can check the status on the Tasks tab. An email will be sent which contains some information and the login password for the rescue mode’s “root” user.

For more information about rescue mode, please refer to this guide.

Step 2: Mounting the system partition

Connect to your server via SSH. (Consult the SSH introduction guide if necessary.) Since it is a Windows server, you will see partitions labelled “Microsoft LDM data”.

# fdisk -l
Disk /dev/sda: 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 54A5B25A-75B9-4355-9185-8CD958DCF32A

Device          Start        End    Sectors  Size Type
/dev/sda1        2048     718847     716800  350M EFI System
/dev/sda2      718848     720895       2048    1M Microsoft LDM metadata
/dev/sda3      720896     980991     260096  127M Microsoft reserved
/dev/sda4      980992 3907028991 3906048000  1.8T Microsoft LDM data
/dev/sda5  3907028992 3907029134        143 71.5K Microsoft LDM data

In the example output, “sda4” must be the (file) system partition, as determined by its size. Usually, there is a mirrored second output which in this case would be “/dev/sdbX“. That is because in most cases, the server will have multiple disks with identical partition schemes. For the password reset process, only the first one is important. Next, mount this partition:

# mount /dev/sda4 /mnt

Verify the mountpoint:

# lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sdb      8:16   0  1.8T  0 disk
├─sdb4   8:20   0  1.8T  0 part
├─sdb2   8:18   0    1M  0 part
├─sdb5   8:21   0 71.5K  0 part
├─sdb3   8:19   0  127M  0 part
└─sdb1   8:17   0  350M  0 part
sda      8:0    0  1.8T  0 disk
├─sda4   8:4    0  1.8T  0 part /mnt
├─sda2   8:2    0    1M  0 part
├─sda5   8:5    0 71.5K  0 part
├─sda3   8:3    0  127M  0 part
└─sda1   8:1    0  350M  0 part

In the example above, the operation succeeded. If the mounting failed, you might receive an error message like this:

The disk contains an unclean file system (0, 0).
Metadata kept in Windows cache, refused to mount.
Failed to mount '/dev/sda4': Operation not permitted
The NTFS partition is in an unsafe state. Please resume and shutdown
Windows fully (no hibernation or fast restarting), or mount the volume
read-only with the 'ro' mount option.

In this case, use the following command and then try to mount again.

# ntfsfix /dev/sda4
# mount /dev/sda4 /mnt

Step 3: Clearing the current password

This step involves manipulating the SAM file with a tool to clear the admin user’s password. Change to the appropriate directory and list the Windows users:

# cd /mnt/Windows/System32/config
/mnt/Windows/System32/config# chntpw -l SAM

chntpw version 1.00 140201, (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>
File size 65536 [10000] bytes, containing 8 pages (+ 1 headerpage)
Used for data: 359/39024 blocks/bytes, unused: 33/18064 blocks/bytes.

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 03e8 | admin                          | ADMIN  | dis/lock |
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 01f7 | DefaultAccount                 |        | dis/lock |
| 01f5 | Guest                          |        | dis/lock |
| 01f8 | WDAGUtilityAccount             |        | dis/lock |

If the command does not work, install the tool first: apt get install chntpw.

Clear the password for the admin user with the following command. (Choose “Administrator” if “admin” does not exist.)

# chntpw -u admin SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>
File size 65536 [10000] bytes, containing 8 pages (+ 1 headerpage)
Used for data: 361/39344 blocks/bytes, unused: 35/13648 blocks/bytes.

================= USER EDIT ====================

RID     : 1000 [03e8]a
Username: admin
fullname:
comment :
homedir :

00000221 = Users (which has 3 members)
00000220 = Administrators (which has 2 members)

Account bits: 0x0010 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
[ ] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |

Failed login count: 0, while max tries is: 0
Total  login count: 5

- - - - User Edit Menu:
 1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] >

Type “1” and press Enter (“↩”). (Make use of option 2 first if there is an “X” next to “Disabled”.)

Select: [q] > 1
Password cleared!
================= USER EDIT ====================

RID     : 1000 [03e8]
Username: admin
fullname:
comment :
homedir :

00000221 = Users (which has 3 members)
00000220 = Administrators (which has 2 members)

Account bits: 0x0010 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
[ ] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |

Failed login count: 0, while max tries is: 0
Total  login count: 5
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Try login with no password!

- - - - User Edit Menu:
 1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] >

Type “q” and press Enter to quit the tool. Type “y” when prompted and press Enter.

Select: [q] > q

Hives that have changed:
 #  Name
 0  <SAM>
Write hive files? (y/n) [n] : y
 0  <SAM> - OK

Step 4: Rebooting the server

First, change the netboot back to Boot from the hard disk in your OVHcloud Control Panel (see step 1).

Back in the CLI, unmount the partition and restart the server with these commands:

# cd
# umount /mnt
# reboot

Broadcast message from root@rescue.ovh.net on pts/0 (Wed 2020-05-27 11:28:53 CEST):

The system is going down for reboot NOW!