Solved

Domain Trust broken, but GPO still exists effecting local admin account

Posted on 2014-10-16
4
317 Views
Last Modified: 2014-10-22
I deleted the computer account from AD but now want to add machine back to domain.  Problem is when I deleted the account it left in place a group policy that now appears to have set the local administrator account on the machine to be a guest only.  I can log in as the local admin account, but it has no rights to open the machines settings which allow me to attach to a domain... say it's restricted by group policy.

Need to either be able to disable the domain group policies that are still in place, or, need to be able to create another local account that actually has admin rights on the local machine.

Domain is running on server 2012R2 and the client machine is Win7.
0
Comment
Question by:Sys_Admin1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40385086
You are very likely looking at reinstalling the OS.  Group policies are meant to be enforced so end-users can't override the settings. In most circumstances, once you are no longer on a domain, you can make changes and the settings won't get re-applied. But in this instances, you don't have access to an account that can make those changes. That invariably means there is no clean way to undo what has been done.
0
 
LVL 3

Expert Comment

by:Glingo
ID: 40385089
Hi,

Can't you just edit the local accounts with Hiren Boot CD?
0
 
LVL 1

Accepted Solution

by:
Sys_Admin1 earned 0 total points
ID: 40386863
"Can't you just edit the local accounts with Hiren Boot CD? "

Tried it, but it wasn't able to add the local admin [now a guest account] back to the admin group.

-----------------------------

Here is how I fixed it:

1. Booted using a windows 7 disk, and selected repair.
2. Used a command prompt to make a backup of the file c:\windows\system32\sethc.exe
3. Copied cmd.exe over sethc.exe
4. Booted the machine into windows and at the "press ctl-alt-delete to log on" window I hit shift 5 times.  By renaming cmd.exe to sethc.exe, which is the sticky key utility, instead of the sticky key menu it opened a command prompt.
I then issued the command: "net localgroup administrator admin /add"  Which added the admin user back into the local administrator account.  It gave a warning that the trust relationship with the domain had failed, but when I booted into windows under the local admin account I could then remove the machine from the domain using my domain creds, and after a reboot I could add the machine back to the domain.

I pieced that together from several different forum posts on the web.
0
 
LVL 1

Author Closing Comment

by:Sys_Admin1
ID: 40396498
Fixed it myself after researching on web.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every now and then, Microsoft does something that totally impresses me. It doesn't happen often, but in this case I must say I am thoroughly impressed with Windows Server Backup. One of the long time issues with Windows Backup has been the ability t…
The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question