Solved

Domain Trust broken, but GPO still exists effecting local admin account

Posted on 2014-10-16
4
305 Views
Last Modified: 2014-10-22
I deleted the computer account from AD but now want to add machine back to domain.  Problem is when I deleted the account it left in place a group policy that now appears to have set the local administrator account on the machine to be a guest only.  I can log in as the local admin account, but it has no rights to open the machines settings which allow me to attach to a domain... say it's restricted by group policy.

Need to either be able to disable the domain group policies that are still in place, or, need to be able to create another local account that actually has admin rights on the local machine.

Domain is running on server 2012R2 and the client machine is Win7.
0
Comment
Question by:Sys_Admin1
  • 2
4 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40385086
You are very likely looking at reinstalling the OS.  Group policies are meant to be enforced so end-users can't override the settings. In most circumstances, once you are no longer on a domain, you can make changes and the settings won't get re-applied. But in this instances, you don't have access to an account that can make those changes. That invariably means there is no clean way to undo what has been done.
0
 
LVL 3

Expert Comment

by:Glingo
ID: 40385089
Hi,

Can't you just edit the local accounts with Hiren Boot CD?
0
 
LVL 1

Accepted Solution

by:
Sys_Admin1 earned 0 total points
ID: 40386863
"Can't you just edit the local accounts with Hiren Boot CD? "

Tried it, but it wasn't able to add the local admin [now a guest account] back to the admin group.

-----------------------------

Here is how I fixed it:

1. Booted using a windows 7 disk, and selected repair.
2. Used a command prompt to make a backup of the file c:\windows\system32\sethc.exe
3. Copied cmd.exe over sethc.exe
4. Booted the machine into windows and at the "press ctl-alt-delete to log on" window I hit shift 5 times.  By renaming cmd.exe to sethc.exe, which is the sticky key utility, instead of the sticky key menu it opened a command prompt.
I then issued the command: "net localgroup administrator admin /add"  Which added the admin user back into the local administrator account.  It gave a warning that the trust relationship with the domain had failed, but when I booted into windows under the local admin account I could then remove the machine from the domain using my domain creds, and after a reboot I could add the machine back to the domain.

I pieced that together from several different forum posts on the web.
0
 
LVL 1

Author Closing Comment

by:Sys_Admin1
ID: 40396498
Fixed it myself after researching on web.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my previous Experts Exchange Articles (http://www.experts-exchange.com/ARTH_1864316.html?arthOrderBy=3&arthSort=1#arth), most have featured Basic and Intermediate VMware Topics.  As a Virtualisation Consultant, we implement many different virtual…
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now