A common problem in any organization is a forgotten Windows password. When it happens, the employee typically calls the help desk, and someone on the help desk staff performs a password reset. This procedure works great for employees who are logged into a domain, but for mobile employees, password resets pose a more complex problem.
Many mobile employees log in using a local account most of the time, and this is a problem because there is no way for the help desk staff to reset a local account's password without having physical access to the machine. If the user is traveling, then physical access for the help desk staff is out of the question.
Before I show you how to create a password backup disk, I want to stress that this disk does not contain the employee's password. That would pose a tremendous security risk. Instead, the disk simply contains a copy of the employee's public and private key pair. When the backup is run, Windows uses the employee's public key to encrypt the employee's password and SID. This information is then stored on the computer's hard drive in its own file, completely separate from the Security Accounts Manager (SAM).
The procedure for backing up the password varies depending on whether or not the machine has been joined to a domain. If the machine is not joined to a domain, then follow these steps to create a backup of the password:
- Open the Control Panel and click the User Accounts icon. Then select the account that you are currently logged in with.
- Click the Create A Password Reset Disk button. This causes Windows to launch the Password Reset Wizard.
If the machine is joined to a domain, then you will have to follow these steps to access the Password Reset Wizard:
- Verify that you are logged in locally (not logged into a domain).
- Press Ctrl+Alt+Delete.
- Click the Change Password button.
- Click the Backup button.
Now that you have launched the Password Reset Wizard (renamed to The Forgotten Password Wizard somewhere along the way), follow these steps to back up the password:
- Click Next.
- Insert a blank, formatted disk into the specified drive. If the computer in question does not have a floppy drive, you can use a USB flash drive.
- Enter your current password when prompted.
- Click Next.
- When Windows finishes creating the disk, click Next again.
- Click Finish.
- Click Cancel.
- Click Cancel again.
In case you are wondering, you do not have to create a new password reset disk every time you reset a forgotten Windows password. The reset file is always encrypted with the original password. Subsequent passwords are simply appended to the file.
Performing a password reset is simple. When an employee enters a bad password, Windows presents them with a dialog box that allows them to click OK to try again or click Reset to reset their password. Upon clicking Reset, the employee is prompted for the password reset disk and then is prompted to reset the password.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
Dig Deeper on Endpoint security management tools