This is a tip that was posted in this forum for recovering a win2k admin password.

Here try this>
If you can log in as an account and it is FAT, drop to DOS start -> run -> cmd, at the C: prompt type the following (assuming default install locations)

C:\> cd \winnt\system32
C:\winnt\system32> copy logon.scr logon.scr.old
C:\winnt\system32> del logon.scr
C:\winnt\system32> copy cmd.exe logon.scr

Now log off the machine, logon.scr is the screen saver that will kick in after 15 minutes of not touching the keyboard/mouse at the logon screen. Wait 15-20 minutes and a DOS prompt with FULL SYSTEM rights will pop up, then just to
C:\> net user administrator <newpassword>
and then log in with the new account.

Try this, might work, as long as he didn't change default permissions on C:\winnt and C:\winnt\system32 you should be golden.
Let me know if this works.

I tried this out on my work PC. The command prompt came up as advertised. Though I received an "access is denied" error when I tried to change the administrator password or add a new local user, I was able to run regedit.exe and had permissions to modify the registry! I was also able to launch both applications (lotus notes and word) and mmc programs like the group policy editor (gpedit.msc) and Computer management (compmgmt.msc). I haven't really explored what could be done with this hack but it would be pretty easy to install a keystroke logger or a trojan to exploit this weakness. Does anybody have any suggestions for closing this loophole? I know the most obvious is to use NTFS and enforce permissions on files like logon.scr but my bosses insisted that we use FAT32 in order to be able to easily recover data in case of system crashes. I would also be curious as to how someone might use this exploit to gain local administrator access (outside of using a keystroke logger.) Any thoughts? Props out to Mickey05 and Heavy_Diesel for turning me on to this hack. Thanks.