[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

How to re-join domain, with no local administrator enabled

Posted on 2014-12-04
13
Medium Priority
?
1,735 Views
Last Modified: 2014-12-11
Hi,

In a domain, all pc´s have disabled the local administrator account - and default users have no admin rights. (well, safe and fine)
But if then suddenly at logon the message : The trust relationship between this workstation and the primary domain failed

So - normally in old XP days a rejoin of the domain would fix it with a local admin account. But how to do this now ? Is there a way to create a local admin account so there can be logged in

By the way - the PC is running bitlocker, and bitlocker code for the computer can not be found, as the domain don´t see the pc anybore

So any suggestions please ?
0
Comment
Question by:dvbguy1
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 37

Expert Comment

by:Kimputer
ID: 40480392
If a domain admin has logged on before, you can disconnect LAN, and reboot. You will still be able to login with the domain admin account.
If not, the Bitlocker is blocking the conventional methods (enable admin through boot cd), and I'm out of ideas.
0
 

Author Comment

by:dvbguy1
ID: 40480399
Admin newer login on computers - so there are nothing cached.
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40480405
You can try restore secure channel from powershell, but must be run as administrator:
Test-ComputerSecureChannel –Server *dc name* -Repair -Verbose
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 

Author Comment

by:dvbguy1
ID: 40480409
Local administrator disabled
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40480423
Try right click, run as administrator ;)
0
 

Author Comment

by:dvbguy1
ID: 40480430
yes it ask for credentials - but what to enter ?. administrator is disabled, and domain admin can also not be used, as the domain is not connected on the pc
0
 
LVL 58

Accepted Solution

by:
McKnife earned 2000 total points
ID: 40480465
The solution is always to offline-enable the local admin account. This can be done only if the hard drive is accessible, that means after unlocking bitlocker. Simple steps:
1 boot win7/8.x setup
2 press shift F10 to get a command line
3 manage-bde -unlock c: -pw (please note that pw stands for password, which will not be present for win7 - here you will need -rk (recovery key), also, the drive letter (here c:) needs to be adapted)
4 rename c:\windows\system32\utilman.exe to utilman.bak and copy cmd.exe to utilman.exe (in the same directory)
5 reboot, press ctrl shift del and then click on the utilman symbol (lower left) - a command line will appear with system rights
6 use the command "net user administrator /active newpassword"
7 logon as administrator with newpassword
8 disjoin/rejoin domain
9 undo your utilman changes and disable the local admin again.

Proven solution.

But: since you deleted the computer object, it seems you don't have the bitlocker recovery key... how does the hard drive boot, what protector is used, tpm only?
0
 

Author Comment

by:dvbguy1
ID: 40480470
Yes - TPM
0
 
LVL 58

Expert Comment

by:McKnife
ID: 40480495
Ok, TPM only without a PIN? That's bad for you.
If you don't have the recovery key and (what you should have done) no second backup but AD existed, then there are only 3 ways left:
-replay a backup (if existent) - it will be replayed unencrypted and everything will be good
-do a so-called "cold boot attack" on your tpm (youtube tells you what that is, it's somewhere next to what James Bond would do)
-if the system is not patched to the max and no firewall is active try to exploit its services via network to get access (that's experts'/pentesters' work)
0
 
LVL 58

Expert Comment

by:McKnife
ID: 40481677
Ah, wait, years Active directory has introduced a recycle bin for objects, so you can maybe revive that computer object and with it, the Bitlocker recovery key. Has recycle bin been setup?
0
 

Author Comment

by:dvbguy1
ID: 40482325
hi,
You wrote
1 boot win7/8.x setup

with that you mean, to boot on windows 7 installation disc or ?
0
 
LVL 58

Expert Comment

by:McKnife
ID: 40482336
Correct.
0
 
LVL 58

Expert Comment

by:McKnife
ID: 40493579
Could you unlock it? How did you end up?
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question