SQL Server injection to rescue
Once I was involved in a similar situation in a clients place. They had forgotten their AD Admin password on a production web & db cluster. Luckily this was before SQL Server the patches from Microsoft after a well-known attack had been applied. I simply executed an ASP page with 'poison' SQL query to execute, CMD.EXE with a parameter to run "net user username password /add" and then another command to add to the global admin. Voilla.
Then, dutifully I executed the Microsoft patch on all the server for SQL Injection and instutionalised a process with the developers to sanitize all their HTML inputs.