Getting into a locked system used by a previous admin
By - St0rytime
Use a boot cd to reset the local admin password. NToffline or Hirens usually works.
Thanks! Followup question: If said admin has also changed the BIOS password making it unable to boot from a CD or USB, then I'm pretty much fucked huh?
Not really, I'd remove the hard drive and mount it to another computer, then do the old rename cmd.exe to osk.exe, place the drive back and boot into the OS and launch the on-screen keyboard to get a SYSTEM shell to reset the local admin password. Doesn't work if the drive is Bitlockered though.
There are ways to reset the bios password on a device. It varies by model and you will probably need to look up how to do that on your particular model.
Right, sometimes you have to move a jumper and sometimes simply removing the battery and replacing it does it. Just RTFM.
If it’s a BIOS user password, see if there’s a clear CMOS option (desktop motherboards used to have jumpers for this purpose). If it’s encryption pre-boot authentication like Bitlocker, the only thing you can do is wipe the drive and start over.
If you have the Bitlocker recovery password you can unlock the drive that way. If you *don't* have the Bitlocker recovery password then you're doing Bitlocker or admin hiring/firing wrong.
What about pressing F8 during boot with the usb/cd inserted? Even if you don't have it set as a bootable device in the uefi/bios, unless they further locked it down to disable those devices it should prompt you to boot from them,
maybe you could phisically disconnect the hard drive and see if the USB or CD would boot as a second choice? Or bring a Linux installed harddrive that you could plug in and boot it up and then try to see if SATA hotswap option is on.... or just plug both discs and change the SATA order... some BIOS love to change boot order when doing this, hahahaha
There are several. First, why do you need access? Are there files / software you need that you can't get elsewhere?
1. Pull the drive from the computer and read the file system.
2. Restore from backup if possible
3. Why does it not trust the domain?
4. Do you have an account that can log in? (even unpriveleged)
It’s not on the domain? As long as you aren’t locked out by drive encryption, ONTPRE to reset the Administrator password.
Depending on your backups you could restore the computer object in AD. We have our devices set to be removed from AD after a while of them not being online but every so often someone brings in a laptops that's been in a drawer for 6months+ and has critical data on.
He infected it with a virus to infect other computers, and you can't prove otherwise.
Wipe the harddrive and reimage the machine.
Why is this machine still connected to the network?