Local Administrators Group missing known Administrator account
I'm an MCP consultant, but I've just run into a new problem with a new client.
In migrating older PCs running XP Pro previously joined to an OLD Win Server 2000 Active Directory Domain to a NEW Win Server 2003 AD Domain the Domain Administrator account was not added to the Local Administrators Group. Therefore the only member of the critical Local Administrators group is the Local Administrator. Unfortunately, because this is a new client that is a disorganized non-profit with a revolving door of employees and administrators, NO ONE knows the Local Administrator password. I hoped it was the same as the OLD Domain Admin Password, but NOPE. I of course tried manually adding the Domain Admin account to the Local Administrator group, but NO privs there either.
So the questions is, is there a way to force the Local Machine to accept the Domain Administrators Group as a member of the Local Admin? I looked at Group Policy to see if there might be something, but I couldn't find it.
Is the only resolution a total reinstall of the OS? I'm beginning to think so, but I hope there's an expert out there with some experience to this.
In migrating older PCs running XP Pro previously joined to an OLD Win Server 2000 Active Directory Domain to a NEW Win Server 2003 AD Domain the Domain Administrator account was not added to the Local Administrators Group. Therefore the only member of the critical Local Administrators group is the Local Administrator. Unfortunately, because this is a new client that is a disorganized non-profit with a revolving door of employees and administrators, NO ONE knows the Local Administrator password. I hoped it was the same as the OLD Domain Admin Password, but NOPE. I of course tried manually adding the Domain Admin account to the Local Administrator group, but NO privs there either.
So the questions is, is there a way to force the Local Machine to accept the Domain Administrators Group as a member of the Local Admin? I looked at Group Policy to see if there might be something, but I couldn't find it.
Is the only resolution a total reinstall of the OS? I'm beginning to think so, but I hope there's an expert out there with some experience to this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sirius, if you join a computer to a domain or remove it from an existing and join a new one), the domain group "domain administrators" gets added to the local administrators group automatically. I doubt it's not there.
ASKER
McKnife, I totally agree. I've built probably 20 domains and joined hundered of clients and NEVER have I seen one not accept the Domain Admin group into it's Local Administrators Group when joined to the Domain. I searched another Administrator account, tried to create one, upgrade another and nothing other than the true Local Administrator was allowed to be a member of the Local Administrators group.
These are 6 year OLD Gateway / eMachines that probably have many more issues than just funky permissions issues. I'm going to be getting them to upgrade, but I need to get the old data off from the old domain profiles. I'll be back at it in a few days.
I wonder if there's a reason
These are 6 year OLD Gateway / eMachines that probably have many more issues than just funky permissions issues. I'm going to be getting them to upgrade, but I need to get the old data off from the old domain profiles. I'll be back at it in a few days.
I wonder if there's a reason
Sirius Systems,
You can download Hiren's bootcd, but you may have to use a torrent site and client to download it.
Just a quick question, can you view the local admins group or is the domain admin username and password not working on the machines you joined to the domain.
You can download Hiren's bootcd, but you may have to use a torrent site and client to download it.
Just a quick question, can you view the local admins group or is the domain admin username and password not working on the machines you joined to the domain.
ASKER
dcolvard,
I can view the Local Admins group, and the Domain Admin group has access to the machine. I just can't change file permissions or do necessary things like install hardware or modify printer ports or add, etc.
I assume somehow during the Domain join process, the Domain Admin group didn't get added to the Local Administrator as it should've. Out of 15 workstations joined on the same day, 5 didn't inherit the Domain Admin into it's Local Admin group.
I probably won't get to it this week unless I go back to the client tomorrow. It's not critical for them now, since I've managed some workarounds, but certainly I need to fix it eventually.
I can view the Local Admins group, and the Domain Admin group has access to the machine. I just can't change file permissions or do necessary things like install hardware or modify printer ports or add, etc.
I assume somehow during the Domain join process, the Domain Admin group didn't get added to the Local Administrator as it should've. Out of 15 workstations joined on the same day, 5 didn't inherit the Domain Admin into it's Local Admin group.
I probably won't get to it this week unless I go back to the client tomorrow. It's not critical for them now, since I've managed some workarounds, but certainly I need to fix it eventually.
ASKER
Thank you all for your comments. As I expected Sinder had the easiest successful solution and therefore was awarded most of the points. Alternatively, I appreciate dcolvard and toniur's suggestions so I've awarded them part of the solution because others searching this thread should know about their suggestions.
I did have trouble with one of the PCs accepting the Group Policy, but after a reboot the Domain Admin Group was added/appeared, but the associated privliges still didn't work. It took a second login attempt to get the GPO's to refresh. I did do a gpupdate /force long before I went to the workstations to check the groups, so propogation wasn't the issue.
I did have trouble with one of the PCs accepting the Group Policy, but after a reboot the Domain Admin Group was added/appeared, but the associated privliges still didn't work. It took a second login attempt to get the GPO's to refresh. I did do a gpupdate /force long before I went to the workstations to check the groups, so propogation wasn't the issue.
ASKER
I'll try it in the next day or 2 and Accept the one that works and is the quickest to implement on 5 machines. I know the GPO is the easiest, I just hope it works. If not, I'll have to use the tools. All of which I haven't used before so I appreciate the tip. I've already downloaded UBCD, and the Reg password editor. I would love to get the Hiren's Boot CD with all those utilities combined, but it seems you have to build it and isn't just downloadable as an .iso