Solved

Domain Trust broken, but GPO still exists effecting local admin account

Posted on 2014-10-16
4
302 Views
Last Modified: 2014-10-22
I deleted the computer account from AD but now want to add machine back to domain.  Problem is when I deleted the account it left in place a group policy that now appears to have set the local administrator account on the machine to be a guest only.  I can log in as the local admin account, but it has no rights to open the machines settings which allow me to attach to a domain... say it's restricted by group policy.

Need to either be able to disable the domain group policies that are still in place, or, need to be able to create another local account that actually has admin rights on the local machine.

Domain is running on server 2012R2 and the client machine is Win7.
0
Comment
Question by:Sys_Admin1
  • 2
4 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
You are very likely looking at reinstalling the OS.  Group policies are meant to be enforced so end-users can't override the settings. In most circumstances, once you are no longer on a domain, you can make changes and the settings won't get re-applied. But in this instances, you don't have access to an account that can make those changes. That invariably means there is no clean way to undo what has been done.
0
 
LVL 3

Expert Comment

by:Glingo
Comment Utility
Hi,

Can't you just edit the local accounts with Hiren Boot CD?
0
 
LVL 1

Accepted Solution

by:
Sys_Admin1 earned 0 total points
Comment Utility
"Can't you just edit the local accounts with Hiren Boot CD? "

Tried it, but it wasn't able to add the local admin [now a guest account] back to the admin group.

-----------------------------

Here is how I fixed it:

1. Booted using a windows 7 disk, and selected repair.
2. Used a command prompt to make a backup of the file c:\windows\system32\sethc.exe
3. Copied cmd.exe over sethc.exe
4. Booted the machine into windows and at the "press ctl-alt-delete to log on" window I hit shift 5 times.  By renaming cmd.exe to sethc.exe, which is the sticky key utility, instead of the sticky key menu it opened a command prompt.
I then issued the command: "net localgroup administrator admin /add"  Which added the admin user back into the local administrator account.  It gave a warning that the trust relationship with the domain had failed, but when I booted into windows under the local admin account I could then remove the machine from the domain using my domain creds, and after a reboot I could add the machine back to the domain.

I pieced that together from several different forum posts on the web.
0
 
LVL 1

Author Closing Comment

by:Sys_Admin1
Comment Utility
Fixed it myself after researching on web.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now