We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Unjoining a workstation from a domain

billcute
billcute asked
on
Medium Priority
2,762 Views
Last Modified: 2012-05-06
"Workstation1 "Wkst1" previously belong to a domain "D1". I now want to remove "W1" from "D1" domain to Workgroup "Wrkgrp1" within Windows XP security setup tab.
I tried to unjoin this workstation from Domain D1 by selecting the workgroup option and entered "Wkgrp1"  as the workgroup name.

 I received a dialog box requesting me to "enter a name and  password of an account with permission to remove the workstation from the domain "D1".

As an Administrator, I entered the Adminstrator's name and password which was rejected with an error message:
"The following error occurred attempting to unjoin the domain "D1". The revision level is unknown."

I dont know what else to do, but I still want to unjoin "Wkst1" from "D1" and move "Wkst1" to a new workgroup "Wkgrp1".
What must I do be able to unjoin the domain and move "Wkst1"  to a new workgroup "Wkgrp1" ?.

I do have a bootcd that can reset the Adminstrator's password to blank from a DOS prompt. I will appreciate any other suggestion that would assist me in achieving my desired objective.
Comment
Watch Question

Sounds to me like a user rights issue.

http://support.microsoft.com/kb/823659

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
It wants the administrator's credentials of the server hosting the Domain. Is that what you entered? Resetting the workstation's administrator password won't help. .... T
Make sure when the dialog box pops up for authenticaion when you try and remove it from the domain that you are using a domain administraor account (or one with privlidges to join/disjoin computers). Enter the username in the dialog box as DOMAIN\Username or Username@domain.com

Author

Commented:
I am sure that I dont have the Domain\Username nor password to supply. Does anyone know of any other backdoor to bypass this dialog box?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You can try removing the domain user's profile on the workstation. If there is data there, you may want to try to save it. You may not be able to do this either. .... T
CERTIFIED EXPERT

Commented:
If you don't have the creds it won't matter but if the creds you supplied were not accepted then the box would have popped back up asking for a different set of creds.

I have seen this where deleting the following reg key and a restart will allow you to disjoin the domain.
<insert MS disclaimer about modifying the registry here. MAKE a BACKUP>
HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC

Author

Commented:
winthropj:
You said:
<insert MS disclaimer about modifying the registry here. MAKE a BACKUP>
HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC

Can you tell me step by step on how to accomplish this?

Regards
Bill

Author

Commented:
winthropj:
You mean running Registry Editor 32 ???

Author

Commented:
Manually delete the relevant registry keys:
Click Start, click Run, type regedit in the Open box, and then click OK to start Registry Editor.
In Registry Editor, locate and then delete the following registry key. Is this correct ?

HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\$MACHINE.ACC
CERTIFIED EXPERT

Commented:
Yup. You may need to change the permissions on it.
Right click on the registry key to change the permissions.
Lee W, MVPTechnology and Business Process Advisor
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
Change it to workgroup.  When prompted, ignore it.  Unless there is something wrong with the system, it will just change it from Domain to Workgroup.  (The whole point of entering a user name and password is to remove the account from AD automatically.  (Note: you need LOCAL admin rights to the workstation to do this).

Author

Commented:
leew:
When prompted, ignore it.    '<---- Ignore what? ...and what kind of message prompt to expect?

Author

Commented:
winthropj:
I thought that you said under ID: 23639010
"I have seen this where deleting the following reg key and a restart will allow you to disjoin the domain.
<insert MS disclaimer about modifying the registry here. MAKE a BACKUP>
HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC"

...Now under  ID: 23639089
"You may need to change the permissions on it."

I am now really confused...would you please clarify what should be done here.
CERTIFIED EXPERT

Commented:
I think he means the username/password prompt.

Author

Commented:
winthropj:
I also thought that the Security folder is a sub directory of SAM as shown below. Correct me if I am wrong.

HKLM\SAM\SECURITY\Policy\Secrets\$MACHINE.ACC
          ~~~~
CERTIFIED EXPERT

Commented:
No. I don't think it is.
I would try what leew is saying. He's got rank.
Choose the WorkGroup radio button and put in a workgroup name. Workgroup is a good. THen when asked for creds just x out and see if it will drop it to the workgroup without the creds.

Lee W, MVPTechnology and Business Process Advisor
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
When you remove an XP machine from the domain, you go to the System Control Panel.  You go to the Computer Name tab.  You click the change button.  You select Workgroup and enter a workgroup name.  Then you click the OK button.  You are then prompted to enter a user name and password to remove it from the domain.  Ignore it.  Or more specifically, click a button.  Cancel... OK... it shouldn't matter.  It will hang for a few seconds... maybe a minute... and may give you an error message that it couldn't remove the computer account from the domain but the computer itself should now be in a workgroup.

Author

Commented:
Thanks. I will try this in the office next week and let you know the outcome.

Regards
Bill

Author

Commented:
leew / winthropj:
Soory to bring this topic back. I was unable to verify the suggestion made by "leew / winthropj" before closing this post. I had the believe that the suggestion would work. However the line below does not exist in WinXP Pro Registry editor.
HKLM\SAM\SECURITY\Policy\Secrets\$MACHINE.ACC

The line that existed is:
HKLM\SAM\SECURITY\default

...and the default value was not set on the registry key editor.

In this case, the problem I described in my original question still exist. Is there a way out of this problem?

Regards
Bill

Author

Commented:
To All Experts:
I requested that the post be re-opened for further assistance and with a view to ensuring that future EE members have the right answer if the thread is visited.

Sorry for your inconveniences.

Regards
Bill

Author

Commented:
To All Experts:
As a gesture of good will I have also increased the points from 250 to 500

Author

Commented:
In light of the above, I have decided to accept suggested link from "ThePhreakshow" because it offers me an opportunity to read more about the User security issues. If I have any additional question I will post it in a new thread.

Regards
Bill
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.