When a Windows Server 2012/2008/2003/2000 machine is prompted to a domain controller (DC), the Directory Services Restore Mode (DSRM) password is created for the local administrator account. This password will be used only when booting into the recovery console or Directory Services Restore Mode. If you forget the DSRM password, you can't use the recovery console nor restore the Active Directory (AD) database.
Luckily there are two simple solutions to a forgotten DSRM password: Ntdsutil and WindowsUnlocker. In this tutorial we'll show you how to use the software to reset / change forgotten Directory Services Restore Mode password in Windows Server 2012/2008/2003/2000 domain controller.
Option 1: Reset DSRM Password with Ntdsutil
- On your machine, select Run from the Start menu, type ntdsutil and click OK.
- At the Ntdsutil command prompt, type set dsrm password.
- At the DSRM command prompt, run the Reset Password command, passing the name of the server on which to change the password, or use the null argument to specify the local machine. For example, to reset the password on server thanos, enter the following command:
reset password on server thanosTo reset the password on the local machine, specify null as the server name:
reset password on server null
- You'll be prompted twice to enter the new password.
- Type q to exit the DSRM command prompt.
- At the Ntdsutil command prompt, type q to exit.
You can now use the local administrator account to log on to the recovery console or Directory Services Restore Mode using the new password. However, you can only use the Ntdsutil utility to reset DSRM password while logging into domain controller. If you also forgot domain administrator password, then you need to use the method below to change your forgotten DSRM password.
Option 2: Reset DSRM Password with WindowsUnlocker Utility
- You need an alternative computer with internet access to download the WindowsUnlocker utility.
- Unzip the download file, you'll get the pcunlocker.iso file.
- Burn the ISO image file to a CD or USB thumb drive using the ISO2Disc tool.
- Insert your newly burned CD/USB drive into the domain controller and power it up. Set the computer to boot from CD/USB by going into BIOS.
- Once you've gotten it to boot from the CD/USB, the computer will load the system inside the CD/USB drive and launch the WindowsUnlocker utility.
- Click on the Reset Local Admin/User Password option, you'll see the Windows SAM database and local user accounts.
- Choose the local administrator account and click on the Reset Password button.
- It will remove your forgotten DSRM password immediately.
Additionally, you can also use WindowsUnlocker utility to reset forgotten domain administrator password for Windows 2000 / 2003 / 2008 / 2012 Active Directory domain controllers.