RADPass is an offline Active Directory password remover.
How to use:
- Reboot a domain controller in Directory Restore mode. If you do not know the
recovery mode password you can use this
Offline NT Password & Registry Editor to reset it.
- Backup NTDS.DIT.
- Run RADPass.
- Delete all LOG, EDB and CHK files from the %SYSTEMROOT%\NTDS folder. If you
used the %SYSTEMROOT%\NTDS folder as your temporary folder then the tool
cleaned up all these files for you.
- Perform an authoritative restore of the AD database if you have multiple
domain controllers. This will replicate the change to the other controllers.
- Reboot the server. You should be able to login without a password for the target username.
- Generally you do not need to run this tool on the domain controller. You can just copy the ntds.dit
file to another machine and run it from there by specifying the database path in the parameters.
This works very well with Windows 2000 database, you can even copy your own esent.dll file
with the ntds.dit file and it should work.
I was unable to open Windows 2003 databases from my XP workstation this way but other OS combinations might work.
- Make sure you specify the proper OS version of the ndts.dit file, the tool doesn't attempt to guess it.
- I noticed that in certain rare cases the ntds.dit file gets corrupted and the
tool is unable to open it afterwards. Restore from your backup in this case and
try again, it might work.
Offline NT Password & Registry Editor
Unlocking Windows NT/2000 Domain Controllers.
Support forum here.