How to enable a disabled local administrator account on a Windows 7 computer with BitLocker enabled
Before you begin you are going to at a minimum know the following information:
- The account name and password of the local administrator account.
- The BitLocker recovery key for the local system drive. (see instruction on how to get the key from here How to use Group Policy to save “BitLocker to Go” recovery keys in Active Directory – Part 1 )
Step 1. Boot the computer using the Windows 7 Installation media
Step 2. When prompted to “Install now” click the “Repair your computer” option at the bottom left.
Step 3 (optional). If your local computer hard drive is BitLocker is encrypted you will now be prompted to type in the recovery key (see below) and just follow the next couple of step that is appropriate for your situation.
Note: You may need to use the Recovery Key Identifier (e.g. A5103515) to find the correct encryption recovery key from Active Directory.
Note2: This step is only required if your local hard drive is encrypted using BitLocker drive encryption.
Step 4. After you have entered the correct recovery and unlocked the drive select the appropriate installation of Windows 7 that you wish to gain access to (You will probably only have one option to select).
Note: Remember the drive letter in the location column as you will need to use this later (Almost definitely going to be “(D:) Local Disk” ).
Step 5. From the System Recovery Options click on “Command Prompt”
Step 6. Now run “regedit” from the command prompt.
Step 7. Click on HKEY_USERS and then click on File > Load Hive
Step 8. Navigate to D:\Windows\System32\Config folder and select the SAM file then click Open
Note: The drive letter you use in the path above is the same as the the drive letter in the Location column in Step 4.
Step 9. Now type “SAM_TEMP” (or any value) in the Key Name text field and click OK
Step 10. Expand SAM_TEMP\SAM\Domains\Account\Users\000001F4 and double click on the “F” key.
Step 11. Change the value “11” in the first column, row 0038 to “10” and click OK
Step 12. Click back on “SAM_TEMP” and then from the File > Unload Hive and Yes to confirm.
Step 13. Exit Regedit and close the Command Prompt and click Restart from the System Recovery Option menu
You will now be able to logon as the local administrator account by using the account name “.\administrator” and the password of the account (which you should already know). This will enable you to configure the computer into a workgroup and then re-join the computer account back into the domain but without having to resort to enabling a back door administrator account on the all the computers in your environment…
Now you might now be wondering what is the point of security is on Windows 7 (i.e. BitLocker and disabled local admin) if it is so easy to circumvent however you need to remember that for this process to work you still need to know the local administrator password and more importantly you will need to know the unique BitLocker recovery key… Obviously this makes it very important to have BitLocker drive encryption deployed otherwise it will make it very easy to break into pretty much any computer if you have physical access.
I know this is not strictly a Group Policy topic however it is very closely related topic and one I feel that this is still well worth knowing for any IT administrator so you can configured a more secure environment…