Isolate a DC - Part 3: Activate Administrator Account

This is Part 3 of a multi part blog post automating AD Forest Recovery, take your forest to rehab, sit it down and force it not to have any AD corruption.

Activate Administrator Account

Now I am not one for a false sense of security, but people building environments that I support are. That is why, more often than not, the Administrator account is renamed, the password is divided in 2 and stored at different ends of the earth, one under the 6 watchful eyes of Cerberus the other stuffed in a filing cabinet lost to the ages. Of course, one day you will need to promote a DC, or do a Schema change and so you have people with Domain Admin accounts. However, the Administrator account is the only one that can login if you don’t have a Global Catalog available… so… just in case, lets make all that skullduggery moot by ressurecting that Administrator account.

This script will devine your Admin account Samaccountname with nothing but two sticks and a well known SID. Ensure it is enabled, and set its password to something easy to remember that is conveniently printed to the screen.

function Activate-AdminAccount{
    [CmdletBinding(
    SupportsShouldProcess = $true,
    ConfirmImpact = 'High')]
    param($PlainTextPassword)
        
    #Identify and enable the Admin account (note that password will be reset)
    $domainObj = get-addomain 
    $AdminAccount = ([ADSI]"LDAP://<SID=$($domainObj.Domainsid)-500>").distinguishedname[0]
    Write-Verbose "AD Admin account located $AdminAccount"    
    get-aduser $AdminAccount -properties Samaccountname  |fl Samaccountname,@{l='Password';e={$PlainTextPassword}}     
    if ($pscmdlet.ShouldProcess($adminAccount)){
        Write-verbose "Activating $AdminAccount and resetting password to $plainTextPassword"
        $password = (ConvertTo-SecureString -AsPlainText $plainTextPassword -Force) 
        set-adaccountpassword -Identity "$($domainObj.Domainsid)-500" -reset -newpassword $password
        set-aduser $AdminAccount -Enabled $true
    }    
} 

Activate-AdminAccount -plainTextPassword "ThisIsTheMostC0mplexPasswordICou1dThinkOf"

All the other parts of this series are available here

• Part 1: Configure the Network
• Part 2: Reset SYSVOL Sync State
• Part 3: Activate Administrator Account
• Part 4: Reset DSRM Password
• Part 5: Disable Global Catalog
• Part 6: Raise RID Pools
• Part 7: Seize all FSMO roles
• Part 8: Metadata cleanup all other DCs
• Part 9: Reset Intra-Forest trust passwords
• Part 10: Reset KrbTGT password twice