Solved

Domain Trust broken, but GPO still exists effecting local admin account

Posted on 2014-10-16
4
308 Views
Last Modified: 2014-10-22
I deleted the computer account from AD but now want to add machine back to domain.  Problem is when I deleted the account it left in place a group policy that now appears to have set the local administrator account on the machine to be a guest only.  I can log in as the local admin account, but it has no rights to open the machines settings which allow me to attach to a domain... say it's restricted by group policy.

Need to either be able to disable the domain group policies that are still in place, or, need to be able to create another local account that actually has admin rights on the local machine.

Domain is running on server 2012R2 and the client machine is Win7.
0
Comment
Question by:Sys_Admin1
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40385086
You are very likely looking at reinstalling the OS.  Group policies are meant to be enforced so end-users can't override the settings. In most circumstances, once you are no longer on a domain, you can make changes and the settings won't get re-applied. But in this instances, you don't have access to an account that can make those changes. That invariably means there is no clean way to undo what has been done.
0
 
LVL 3

Expert Comment

by:Glingo
ID: 40385089
Hi,

Can't you just edit the local accounts with Hiren Boot CD?
0
 
LVL 1

Accepted Solution

by:
Sys_Admin1 earned 0 total points
ID: 40386863
"Can't you just edit the local accounts with Hiren Boot CD? "

Tried it, but it wasn't able to add the local admin [now a guest account] back to the admin group.

-----------------------------

Here is how I fixed it:

1. Booted using a windows 7 disk, and selected repair.
2. Used a command prompt to make a backup of the file c:\windows\system32\sethc.exe
3. Copied cmd.exe over sethc.exe
4. Booted the machine into windows and at the "press ctl-alt-delete to log on" window I hit shift 5 times.  By renaming cmd.exe to sethc.exe, which is the sticky key utility, instead of the sticky key menu it opened a command prompt.
I then issued the command: "net localgroup administrator admin /add"  Which added the admin user back into the local administrator account.  It gave a warning that the trust relationship with the domain had failed, but when I booted into windows under the local admin account I could then remove the machine from the domain using my domain creds, and after a reboot I could add the machine back to the domain.

I pieced that together from several different forum posts on the web.
0
 
LVL 1

Author Closing Comment

by:Sys_Admin1
ID: 40396498
Fixed it myself after researching on web.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Table of Contents: Lesson 1 - Installing Windows Server 2012 (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/A_11592-Become-an-Administrator-Installing-Windows-Server-2012.html) Lesson 2 - Configuring Ser…
In my previous 24 VMware Articles (http://www.experts-exchange.com/ARTH_1864316.html?arthOrderBy=3&arthSort=1#arth), most featured Intermediate VMware Topics. My next series of articles concentrated on topics for the VMware Novice;   If you would…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question