It is extremely important that you reset the Administrator password AND replace the sethc.exe after completing the swap. Otherwise, someone with IPMI access to the machine could gain Administrator access.
Here are the steps:
- Over IPMI, mount a Windows Server 2102 R2 installation disk (this can be found on Microsoft Technet Evaluation Center)
- Reboot the server
- Select Boot from CD/DVD media and start the Windows Server boot process
- Select a language then Repair your computer -> Troubleshoot -> Command Prompt
- Locate the Windows installation drive (C, D or others depending on installation type)
- Copy the sethc.exe to a backup location
- Replace sethc.exe with cmd.exe
- Reboot the server
- At the login screen, hit the SHIFT key five-TEN times (you can use the virtual keyboard for this)
- Use the following command (replace <password> with a temporary password) to reset the Administrator password:
net user Administrator <password>
- Login using the temporary password
- Reset the password from the Windows Server environment
- Replace the sethc.exe with the backed-up version.
Key commands for steps 6 and 7 (the d:\ may be c:\ or something else based on your step 5 determination):
copy d:\windows\system32\sethc.exe d:\windows\system32\sethc-old.exe
copy d:\windows\system32\cmd.exe d:\windows\system32\sethc.exe
Key commands for step 13:
copy c:\windows\system32\sethc-old.exe c:\windows\system32\sethc.exe
This is all you need to get back into a Windows Server 2012 R2 system you have IPMI access to.
Even if you never have to recover a lost Windows Server Administrator password using this methodology, it should be eye-opening. Modern servers do include iKVM functionality with the ability to remotely mount ISO images. This entire operation can occur over a period of a few minutes and leaves the system vulnerable if the sethc.exe is not replaced. Our suggestion is to use a separate network or vlan for all IPMI interfaces.