I had same situation once, what I did: 1. Make full backup, using Acronis 2. Reset password via CD 3. Run security check, for hidden remote program, timebomb, etc.. 4. Disable administrator, and make new user as administrators, I was using Hirens Boot CD and a couple of security software.
not to start this thread over again, but he has a slightly (or much - depending on your perspective) different issue. He has a password to hack that is on/for a domain/network, not local.
Just a thought.... I was interested to see that this rogue admin is still an issue for your company. I liked ariefkusumo's suggestions and it would be wise to check them out. I'm unclear as to what he has in place to basically own your network but realistically, for him to have the ability to remotely connect from outside of the network, there are only limited ways a person can do this such as router configuration, VPN, VNC, RDP, etc. The point is, if you hire a good consultant and share the story with him, I'm sure he could find the exploit and close the door. I still fall back on my initial idea, which is to involve law enforcement. What I would do is go to the Police and tell them basically that this admin has hijacked your network and have him arrested. I would then have the Police influence him to remove his exploits or face criminal charges along with a lawsuit for damage. To allow him to continue to bully your company is only going to worsen this situation. What's next?? What if he demands $250K/year salary or else, or maybe he'll tell the owner of your company to sign over ownership of the company to him or else. In other words, your employer is only giving him power to run amuck all over you guys. Trust me, call the Police and let's see how bad this guy wants to go to jail, destroying his career and finances simultaneously and permanently.
From what I'm reading the former admin hasn't actually done anything. He knows the network/DC admin password and the owner doesn't. There's nothing illegal about that and I'd say that admin no longer has any obligation to his former employer. What basis for arresting the guy would the authorities have? Besides, he can claim he no longer remembers the password. There would be no rebuttal to that.
If I understood the original poster's message correctly, the former employee was threatening damage to the network using his admin credential, which is highly illegal. This is not simply a case of a former admin having his password because they could simply disable his account. I believe the reason they have lost access to their DC's and network is due to this admin locking them out.
REREAD IT AGAIN : Basically, there is a situation brewing in which the head IT guy will not give us the administrator password for the network. Along with this, the boss in worried that he may log in via remote desktop and mess around with files such as accounting records, inventory records, or just sabotage the whole system. "the boss is worried" The boss is frankly PANAROID...
Sorry.......... If that's the case, why is this even an issue? Simply use the workaround posted above and once logged in, change all the administrator passwords and be done with it. I would also hope that you still aren't locked out of your DC after all this time! Be thankful, it could be much worse and furthermore, you'll be more aware of keeping records of passwords and other important security information, especially with a paranoid boss. Your boss should also have knowledge of the basic terminology here and not find himself trapped like this in the future.
I signed in just to give my two cents worth, having had my then network administrator boss fired, I had to plug all security holes incase of sabotage by him. Long story short Use a linux boot cd (Ubuntu e.g.) to get the Windows SAM file and other files in that folder. Download Cain and Able on one of your desktop workstations and load the files you saved into it. Hopefully it will give you the NTLM and LM password hashes for the encrypted administrator password. Take the LM password HASH and type it in here objectif-securite.ch/en/products.php ( i dont have 20 posts for adding links but you know the usual prefix, sorry mods for breaking rules) This will give you the password used, but the CaSInG will be wrong. Use ophcrack with the same files you loaded in cain and able and that should figure out the correct password using the password mask option. After that Disable remote access on the server, look for apps like team viewer, logmein, vnc, realvnc and remove them all. Sometimes some admins save the password documents in their desktops. Once logged in as administrator on the server see if he did so. Otherwise hope like hell he used the same password on the router too... Or you will have to reset the router... and reassign ports. Good luck