Archive for the ‘Active Directory Password’ category

Easy Ways to Find BitLocker Recovery Key from Active Directory

April 19th, 2019 by Admin

BitLocker is prompting for a recovery key and you lost it? Applying the GPO to store BitLocker recovery password in Active Directory is a good practice for companies when data security is a concern. In this tutorial we’ll show you different ways to find BitLocker recovery key/password from Active Directory or Azure AD.

Method 1: Find BitLocker Recovery Key in AD Using PowerShell

  1. Press the Windows key + X and then select “Windows PowerShell (Admin)” from the Power User Menu.

  2. Copy and paste the following script into the PowerShell console and hit Enter. Substitute “PCUnlocker” with the name of the computer you want to locate BitLocker recovery key for.

    $objComputer = Get-ADComputer PCUnlocker
    $Bitlocker_Object = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $objComputer.DistinguishedName -Properties 'msFVE-RecoveryPassword'
    $Bitlocker_Object

  3. It will retrieve all details from the ‘msFVE-RecoveryInformation‘ objects attached to your target computer. The msFVE-RecoveryPassword item is the BitLocker recovery key you’re looking for.

Method 2: Using BitLocker Recovery Password Viewer Utility

If you’ve enabled the BitLocker Recovery Password Viewer feature in Active Directory, it’s pretty simple to retrieve BitLocker recovery key for any computer in AD. Follow these steps:

  1. After opening the Active Directory Users and Computers snap in, expand your domain and click the Computers container. Right-click on your target computer object and select Properties.

  2. Go to the Bitlocker Recovery tab, you can view all BitLocker recovery keys that were automatically backed up to AD.

If you know the first 8 digits of the Password ID, here’s how to search your BitLocker recovery keys:

  1. Right-click on your domain in the left pane of Active Directory Users and Computers snap in, and then select Find BitLocker recovery password.

  2. Enter the first 8 characters of Password ID and click on Search.

  3. It will locate the matching BitLocker recovery keys that are stored in your Active Directory.

Method 3: Locate BitLocker Recovery Key in Azure AD

Once the BitLocker recovery key is backed up to Azure AD, users can find their own keys in the Profile section after signing into https://account.activedirectory.windowsazure.com/profile/. Administrators can log in to https://account.activedirectory.windowsazure.com/n/#/devices, select the appropriate device, and click View Details to get the BitLocker recovery key.

Use GPO to Automatically Save BitLocker Recovery Key in Active Directory

April 17th, 2019 by Admin

As a system administrator, you may find it’s difficult to keep track of BitLocker recovery keys for all computers in company network, especially when number of machines is more than 100. In this tutorial we’ll show you how to set the group policy to automatically backup BitLocker recovery information to Active Directory, so you can centrally manage the recovery keys/passwords in one place.

How to Configure GPO to Automatically Save BitLocker Recovery Key to AD

  1. Click the Search icon in the taskbar and type “group policy“. You can then click Group Policy Management to launch it.

  2. Now in the left pane of Group Policy Management, right-click your AD domain and select “Create a GPO in this domain, and Link it here…” from the menu.

  3. In the New GPO dialog, give the GPO a name and click OK.

  4. Right-click the newly-created GPO in the left pane, and select Edit.

  5. Browse to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption, and then double-click the policy “Store BitLocker recovery information in Active Directory Domain Services“.

  6. Set the policy to Enabled. Make sure the “Require BitLocker backup to AD DS” option is checked, and select to store both recovery passwords and key packages.

  7. Next, expand BitLocker Drive Encryption in the left pane. You’ll see three nodes: Fixed Data Drives, Operating System Drives, Removable Data Drives. Just select Fixed Data Drives and double-click the policy “Choose how BitLocker-protected fixed drives can be recovered“.

  8. Set it to Enabled. Check the options “Save BitLocker recovery information to AD DS for fixed drives” and then click OK.

  9. Go to the “Operating System Drives” node and turn on the similar policy “Choose how BitLocker-protected operating system drives can be recovered“. Afterwards, go to the “Removable Data Drives” node and enable the policy “Choose how BitLocker-protected removable drives can be recovered“.
  10. When any client PC retrieves the policy changes, BitLocker recovery information will be automatically and silently backed up to AD DS when BitLocker is turned on for fixed drives, OS drives or removable drives.

Manually Backup BitLocker Password to AD with PowerShell

If you have enabled BitLocker prior to configuring the above GPO policy, you can use PowerShell cmdlets to manually upload the BitLocker recovery key to Active Directory. Follow these steps:

  1. When your BitLocker-protected drive is unlocked, open PowerShell as administrator and type this command:
    manage-bde -protectors -get D:

    What you need to take note of is the Numerical Password ID.

  2. Next, type the following command to backup your BitLocker recovery password to Active Directory. Remember you have to use the Numerical Password ID obtained on the previous step.
    manage-bde -protectors -adbackup D: -id {CAF6FEF0-7C98-4D6A-B80F-7BE63C033047}

  3. When that completes, you will receive the message “Recovery information was successfully backed up to Active Directory.

2 Methods to Install BitLocker Recovery Password Viewer for Active Directory

April 16th, 2019 by Admin

BitLocker Recovery Password Viewer tool is an optional feature included with Windows Server 2008 – 2019, which lets you store and view BitLocker recovery keys in AD for all client computers. By default, this feature is not installed and BitLocker Recovery tab in ADUC is missing. In this tutorial we’ll show you 2 methods to install BitLocker Recovery Password Viewer for Active Directory in Windows Server 2008/2012/2016/2019.

Method 1: Install BitLocker Recovery Password Viewer Using Server Manager

  1. Open Server Manager and click on “Add roles and features“.

  2. Click Next through the wizard until you get to the Server Roles page. Make sure “Active Directory Domain Services” is checked.

  3. In the Features page, check the “BitLocker Drive Encryption” feature.

    For Windows Server 2008, you need to expand Remote Server Administration Tools –> Feature Administration Tools and check the option for “BitLocker Drive Encryption Administration Utilities

  4. If you’re prompted to confirm adding features that are required for BitLocker Drive Encryption, click on Add Feature button.

  5. Once completing the wizard, take a look at the Computer Properties dialogue box in Active Directory Users And Computers, you’ll see the BitLocker Recovery tab.

Method 2: Install BitLocker Recovery Password Viewer Using PowerShell

If you need to install BitLocker Recovery Password Viewer on a server running Windows Server Core, try this method:

  1. Press the Windows key + X or right-click on the Start button to open the context menu, then select Windows PowerShell (Admin).

  2. Run the following command to add the optional “BitLocker Drive Encryption” feature:
    Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools

  3. When it’s done, you’ll be prompted to restart your server to finish the installation process.

Set Password to Never Expire for Domain Accounts in Windows Server

August 12th, 2017 by Admin

Can’t change password after domain user password expired? AD password expires while user is away? By default, domain users are required to change their passwords every 42 days, as defined by domain password policy. If you find those password expiry notices annoying, you can set password to never expire for domain accounts in Windows Server 2016, 2012, 2008, 2003.

Before getting started, you can check when your domain account password is going to expire. Just open the Command Prompt as administrator, type the following command and press Enter.

net user domain_account_name /domain

This will display your account information, including when you last changed your password, and when it expires.

Method 1: Set Domain Account Password to Never Expire via GUI

  1. Press the Windows logo key + R, type dsa.msc and press Enter to open Active Directory Users and Computers Snap-in.
  2. Expand your domain and click Users in the left pane, you’ll see a list of domain accounts on your server. Double-click on the user you would like to update.

  3. In the Properties dialog, click the Account tab and check “Password never expires” under the Account options section.

  4. Click Apply and then OK. Now you’ve successfully disabled the annoying expiration of passwords!

Method 2: Set Domain Account Password to Never Expire via PowerShell

  1. click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell.
  2. After importing Active Directory module in Powershell, you can type the following script to set your domain password to never expire. Replace pcunlocker with the name of your domain account.

    Set-LocalUser -Name "pcunlocker" -PasswordNeverExpires 1

Method 3: Set Domain Account Password to Never Expire via Command Prompt

Open the Command Prompt as Administrator. Type the following command and press Enter. Note: Replace “pcunlocker” with your account name, and adjust the domain name accordingly.

dsmod user "CN=pcunlocker,CN=Users,DC=corp,DC=top-password,DC=com" -pwdneverexpires yes

This would set the password of the domain account “pcunlocker” to never expire.

If you want to disable the password expiration for all accounts in Active Directory, type:

dsquery user "CN=Users,DC=corp,DC=top-password,DC=com" | dsmod user -pwdneverexpires yes

Method 4: Set Password to Never Expire for All Accounts Using Domain Group Policy

  1. Click the Start button, point to Administrative Tools and then click Group Policy Management.
  2. In the console tree, expand the Forest and then Domains. Select the domain for which the password policies have to be set. Right-click Default Domain Policy and select Edit.

  3. It will open Group Policy Management Editor. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy, then double-click the “Maximum password age” setting in the right pane.

  4. In the Security Policy Setting tab, make sure the “Define this policy setting” option is checked, and specify that passwords never expire by setting the number of days to 0.

  5. Click Apply and then OK.

Actually, there is much simpler way to modify the “Maximum password age” settings for your default domain policy. Just open the Command Prompt as Administrator, and type:

net accounts /maxpwage:unlimited /domain

Now, all the domain accounts won’t be required to change password ever. If you’re locked out of Windows Server and can’t log on with any domain administrator, then you need to use the AD password utility – PCUnlocker. It can help you reset forgotten Active Directory password and unlock a disabled/expired/locked domain account.

Fix: “User must change password at next logon” option greyed out in Windows

December 29th, 2016 by Admin

When you try to change or reset the password of a user account, you might find the checkbox “User must change password at next logon” is greyed out, so you can’t choose this option.

user-must-change-password-next-logon

In this tutorial we’ll show you how to enable the “User must change password at next logon” option that is greyed out for Windows local or domain user account.

For Windows Local Accounts:

Open the Computer Management. Expand System Tools, then Local Users and Groups, then Users. Right-click on your local account and select Properties from the context menu.

local-account-properties

This will open the Properties dialog box. Uncheck the “Password never expires” box and you’ll then find the “User must change password at next logon” option is enabled. Click Apply and then OK.

windows-password-never-expires

For Active Directory User Accounts:

In Windows Server with Active Directory installed, open the Active Directory Users and Computers MMC snap-in (start->run->dsa.msc). Right-click on your domain user and select Properties.

domain-account-properties

Click the Account tab. Under the Account options section, uncheck the “Password never expires” checkbox and click OK.

domain-password-never-expires

Now you should be able to reset the password and force the domain user to change it at next login.

Force All AD User Accounts to Change Passwords at Next Logon

April 3rd, 2014 by Admin

How can I force domain user account to change password at the next logon? Simply open Active Directory Users and Computers MMC snap-in (DSA.MSC) by selecting Start -> Administrative Tools -> Active Directory Users and Computers, and locate your desired AD user. Right-click on the account and select Properties. To force the account to change password, just tick the “User must change password at next logon” checkbox.

force-domain-user-to-change-password

Now you might ask: Is there a way of doing this for all users in a single OU? In this post I will show how to use a simple Powershell script to force all AD user accounts to change their password at next logon.

Tips: If you forgot the AD administrator password and get locked out of your domain controller, you can reset the password by booting your server to PCUnlocker Live CD.

How to Force All AD User Accounts to Change Passwords at Next Logon?

Click Start and then navigate to All Programs -> Accessories -> Windows PowerShell. Right-click Windows PowerShell, and select Run as administrator from the context menu.

Using both Get-ADUser and Set-ADUser commands you can force all domain user accounts in a OU to change their passwords at next logon. For this demo I’m using IT OU. The fully qualified domain name of our Windows domain is corp.top-password.com.

active-directory-users

The following command will force all users in the IT department to change password on login.
Get-ADUser -Filter * -SearchBase “OU=IT,DC=corp,DC=top-password,DC=com” | Set-ADUser -ChangePasswordAtLogon:$true

windows-powershell

However, this might cause some AD users to be locked of their computers if the “User Cannot Change Password” attribute is set. To avoid such problem, It’s better to also disable both “User Cannot Change Password” and “Password never expires” attributes.

Get-ADUser -Filter * -SearchBase “OU=IT,DC=corp,DC=top-password,DC=com” | Set-ADUser -CannotChangePassword:$false -PasswordNeverExpires:$false -ChangePasswordAtLogon:$true

After executing the PowerShell command and all your users will be forced to change their own password on their next restart. If you don’t allow the AD users to set a blank password, you can then set up a group policy for your own purpose, by following the steps described in our previous post: How to Change Active Directory Password Policy in Windows Server 2008.

How to Reset Windows Small Business Server Password After Forgotten

March 28th, 2014 by Admin

Forgot the administrator password on Windows Small Business Server (SBS)? If you can’t log on with other administrator-level account, you’re unable to change or reset the password. So if you’re confronted with this situation where you essentially have no control over your server. What do you do at this point?

Forgot Windows SBS password

In this tutorial we’ll show you how to reset Windows SBS 2011 / 2008 / 2003 password when you lost or forgot the administrator password. Because we could not log into SBS as admin, so it’s impossible to install any software on your computer to hack into the Security Account Manager (SAM). Fortunately, with the PCUnlocker boot CD you can circumvent Windows security restrictions and reset SBS administrator password directly.

How to Reset Windows Small Business Server Password After Forgotten?

Before you can reset SBS password, you need to make a PCUnlocker boot CD using another computer with internet connection. Next boot Windows Small Business Server from the CD and it enables you to reset a lost local admin / domain admin password easily. Here are detailed instructions:

  1. Download the PCUnlocker program from http://www.top-password.com. The download file is a zipped ISO image file. Double-click the zip file and the system will display all the contents in a new window. Just drag the pcunlocker.iso file from that window to your desktop or another location you can find easily.
  2. Burn the ISO image to an empty CD (or USB flash drive) using the freeware ISO2Disc, BurnCDCC or ImgBurn program.
  3. Connect the CD you’ve burned to your locked computer that you want to reset Windows SBS password on. Turn on the computer and change the boot order in BIOS. Make sure the CD/DVD drive is the first boot device.
  4. After booting from the CD, you’ll see the WinPE operating system start. Just about half a minute later, you’ll see the PCUnlocker program. It displays all your Windows user accounts. If you need to reset domain user password, please click on the “Reset Active Directory Password” option.
  5. Choose a user account and click on “Reset Password” button. The program will unlock / reset your forgotten user password immediately.
  6. Click on Restart. Take out the CD from the computer. Now you can log back into your Windows Small Business Server (SBS) using a blank/empty password.

PCUnlocker: Unlock Any Computer without A Password

August 29th, 2013 by Admin

Whether you forgot Windows login password or your administrator account got locked out or disabled accidentally, there is a simple way to unlock your computer without a password. Here we’ll get you through the process of unlocking any password protected computer with PCUnlocker Live CD.

How to Unlock Any Computer without A Password?

Step #1: First, you are required to create a PCUnlocker Live CD from another computer that you have access to. This can be your work PC, or a friend or family member’s PC (any PC within your reach). Download the ISO image of PCUnlocker and burn it to a blank CD or DVD using ISO2Disc program. If you don’t have a CD burner, A USB flash drive can also be used to make a bootable PCUnlocker USB drive.

Step #2: Next thing is, insert the PCUnlocker Live CD into your own machine and boot the computer from it. Before that ensure you haven’t set your BIOS to boot from any other drive than the optical one. After successfully booting from PCUnlocker Live CD, it will load the operating system that is installed on the CD drive.

Step #3: When the boot process is complete, it will start the PCUnlocker program. This program automatically searches your Windows installations and displays all user accounts existing in Windows SAM registry file. In the list box, you can also find out which user account is password protected, disabled or locked out.

Step #4: Choose one of your user accounts and click on “Reset Password” button. The program will remove the account password, and also change the properties of your user account so it is enabled, unlocked and never expired. It will also turn off the logon hours restriction and fix the local security policy that may prevent you from logging in.

Step #5: Restart the computer and remove the Live CD. The account that you’re trying to regain access to will no longer require a password. Quickly regain access to a password-protected computer without a password! No need to start over with a fresh Windows installation when you are locked out of your computer.

Conclusion

With PCUnlocker Live CD you can reset forgotten computer passwords for both local administrator accounts and Active Directory user accounts. It works on all versions of Windows systems, including Windows 8 and Windows Server 2012. Besides the features mentioned above, PCUnlocker can also help you promote standard or limited user account to administrator, reset Windows 8 Microsoft account password, and more.