Windows Password Reset Disk to the Rescue

Q: How do I use the Windows Password Reset Disk (PRD) feature? Can I create PRDs only for local accounts, or can I also create them for domain accounts?

A: A PRD solves the problem of a forgotten password for a local Windows user account. If users create PRDs for their local accounts before they forget their passwords, they can easily reset their passwords at any future time--provided they still have access to the PRD disk. Be sure to keep the PRD in a secure place so that no one but the authorized user can get to it.

You can use a PRD to reset the password of a local account only, where “local” means its defined in a machine’s local security database and verified locally, as opposed to a domain account, which is defined in the domain database and verified by a domain controller (DC). PRDs are supported only on Windows Server 2003 Service Pack 1 (SP1), Windows Server 2003 R2, and Windows XP. A PRD is linked to a single machine and can't be used on other machines.

On a standalone XP machine, you can create a PRD from the user account properties in the User Accounts Control Panel applet. To start the PRD Forgotten Password wizard, click "Prevent a forgotten password" as Figure 1 shows. The wizard then guides you through the rest of the PRD-generation process.

On domain-joined XP and domain-joined or standalone Windows 2003 SP1 or R2 machines, you can create a PRD for a local account by following these steps:

  1. Press CTRL+ALT+DEL and click Change Password.
  2. In the User name field, type the name of the account that you want to create a PRD for.
  3. In the Log on to field, select the name of the local computer.
  4. Click Backup to start the PRD Forgotten Password wizard.

When a PRD is created, Windows creates a public-private key pair and a self-signed certificate. The PRD logic encrypts the user’s actual password using the public key and stores the result of this encryption in the HKEY_LOCAL_MACHINE\Security\Recovery\<user SID> registry key. The PRD logic then exports the private key to a floppy disk and deletes it from the local system.

When you enter a wrong password on the logon screen of a standalone XP machine, XP will prompt you “Did you forget your password? You can use your password reset disk.” Clicking this phrase will start the Password Reset wizard. This particular XP prompt will appear only for users that have created a PRD.

On domain-joined XP and domain-joined or standalone Windows 2003 SP1 or R2 machines, you can call the Password Reset Wizard from the Logon Failed dialog box, by clicking the Reset button. The Logon Failed dialog box appears only after users have typed a wrong password and only if they've created a PRD.

The Password Reset wizard will request you to enter a new password and supply the PRD 3.5" disk. Behind the scenes, Windows will retrieve your PRD private key from the PRD disk and use it to decrypt the encrypted copy of your password on the local machine. The fact that you have supplied the correct PRD disk proves to the system that your request to reset your password is authentic.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.