Solved

How to re-join domain, with no local administrator enabled

Posted on 2014-12-04
13
867 Views
Last Modified: 2014-12-11
Hi,

In a domain, all pc´s have disabled the local administrator account - and default users have no admin rights. (well, safe and fine)
But if then suddenly at logon the message : The trust relationship between this workstation and the primary domain failed

So - normally in old XP days a rejoin of the domain would fix it with a local admin account. But how to do this now ? Is there a way to create a local admin account so there can be logged in

By the way - the PC is running bitlocker, and bitlocker code for the computer can not be found, as the domain don´t see the pc anybore

So any suggestions please ?
0
Comment
Question by:dvbguy1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 40480392
If a domain admin has logged on before, you can disconnect LAN, and reboot. You will still be able to login with the domain admin account.
If not, the Bitlocker is blocking the conventional methods (enable admin through boot cd), and I'm out of ideas.
0
 

Author Comment

by:dvbguy1
ID: 40480399
Admin newer login on computers - so there are nothing cached.
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40480405
You can try restore secure channel from powershell, but must be run as administrator:
Test-ComputerSecureChannel –Server *dc name* -Repair -Verbose
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:dvbguy1
ID: 40480409
Local administrator disabled
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40480423
Try right click, run as administrator ;)
0
 

Author Comment

by:dvbguy1
ID: 40480430
yes it ask for credentials - but what to enter ?. administrator is disabled, and domain admin can also not be used, as the domain is not connected on the pc
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40480465
The solution is always to offline-enable the local admin account. This can be done only if the hard drive is accessible, that means after unlocking bitlocker. Simple steps:
1 boot win7/8.x setup
2 press shift F10 to get a command line
3 manage-bde -unlock c: -pw (please note that pw stands for password, which will not be present for win7 - here you will need -rk (recovery key), also, the drive letter (here c:) needs to be adapted)
4 rename c:\windows\system32\utilman.exe to utilman.bak and copy cmd.exe to utilman.exe (in the same directory)
5 reboot, press ctrl shift del and then click on the utilman symbol (lower left) - a command line will appear with system rights
6 use the command "net user administrator /active newpassword"
7 logon as administrator with newpassword
8 disjoin/rejoin domain
9 undo your utilman changes and disable the local admin again.

Proven solution.

But: since you deleted the computer object, it seems you don't have the bitlocker recovery key... how does the hard drive boot, what protector is used, tpm only?
0
 

Author Comment

by:dvbguy1
ID: 40480470
Yes - TPM
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40480495
Ok, TPM only without a PIN? That's bad for you.
If you don't have the recovery key and (what you should have done) no second backup but AD existed, then there are only 3 ways left:
-replay a backup (if existent) - it will be replayed unencrypted and everything will be good
-do a so-called "cold boot attack" on your tpm (youtube tells you what that is, it's somewhere next to what James Bond would do)
-if the system is not patched to the max and no firewall is active try to exploit its services via network to get access (that's experts'/pentesters' work)
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40481677
Ah, wait, years Active directory has introduced a recycle bin for objects, so you can maybe revive that computer object and with it, the Bitlocker recovery key. Has recycle bin been setup?
0
 

Author Comment

by:dvbguy1
ID: 40482325
hi,
You wrote
1 boot win7/8.x setup

with that you mean, to boot on windows 7 installation disc or ?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40482336
Correct.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40493579
Could you unlock it? How did you end up?
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
In-place Upgrading Dirsync to Azure AD Connect
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question