We've encountered a frustrating situation with our fully patched Windows 2022 server; it seems to have lost trust in the domain. When we try to log in using a domain account, we get a bad username/password error. Unfortunately, nobody remembers a valid local username/password combination for the server. It's also important to mention that this server is a VMware VM.
We've faced a similar issue with another server not long ago where we attempted to replace utilman.exe with cmd.exe. While we managed to execute cmd.exe initially, Windows Defender intervened and shut it down. Does anyone have some suggestions for how we can regain access to this server?
**UPDATE:** A big thanks to everyone who suggested disconnecting the NIC and using cached credentials! That worked perfectly.
7 Answers
If you’ve replaced utilman with cmd, try booting into safe mode to run it. Defender shouldn’t be running in that mode. I also had a situation where cmd was shutting down during login, but it turned out to be memory overload. Disconnecting the network and any unnecessary devices helped fix it for me.
Try this method: Disconnect the network connection, log in using cached credentials (ask whoever logged in last), then reconnect the network. After that, you can run this PowerShell command as admin: Test-ComputerSecureChannel - repair to fix any issues.
Another option is to boot it with a USB drive and create a new local account. You’d be able to regain access that way.
I did the classic trick on a 2019 server: boot from an ISO and change the admin password. It’s a bit old school, but it works! Here's a link to a similar approach I documented: [my blog entry](https://em-soft.si/myblog/elvis/?p=975).
If you can't remember the local admin credentials, I've had success with disconnecting the virtual NIC from the network and booting up the server. This forces the system to use cached credentials, which might just save the day!
Definitely! Just make sure that GPO isn’t set to a very low cached credential limit; I believe the default is around 10.
Just a tip: Disconnect the network card first. This way, you can have someone log in with cached credentials!
Since you mentioned this is a VMware VM, snapshot it before doing anything. Boot it with a Kali Linux Live ISO and use chntpw to reset the local account's password. It’s a solid way to regain access! I found a [how-to guide](https://it-beratung-koch.de/kb/passwort-reset-fuer-windows-mit-kali-linux/) on this, although it's in German, but you can use Google Translate to get through it.
Just make sure there’s no BitLocker or other encryption active, as that could complicate things.
This method worked wonders for me too! Also, consider setting up Windows LAPS to prevent this from happening in the future.