Solved

How to re-join domain, with no local administrator enabled

Posted on 2014-12-04
13
663 Views
Last Modified: 2014-12-11
Hi,

In a domain, all pc´s have disabled the local administrator account - and default users have no admin rights. (well, safe and fine)
But if then suddenly at logon the message : The trust relationship between this workstation and the primary domain failed

So - normally in old XP days a rejoin of the domain would fix it with a local admin account. But how to do this now ? Is there a way to create a local admin account so there can be logged in

By the way - the PC is running bitlocker, and bitlocker code for the computer can not be found, as the domain don´t see the pc anybore

So any suggestions please ?
0
Comment
Question by:dvbguy1
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 40480392
If a domain admin has logged on before, you can disconnect LAN, and reboot. You will still be able to login with the domain admin account.
If not, the Bitlocker is blocking the conventional methods (enable admin through boot cd), and I'm out of ideas.
0
 

Author Comment

by:dvbguy1
ID: 40480399
Admin newer login on computers - so there are nothing cached.
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40480405
You can try restore secure channel from powershell, but must be run as administrator:
Test-ComputerSecureChannel –Server *dc name* -Repair -Verbose
0
 

Author Comment

by:dvbguy1
ID: 40480409
Local administrator disabled
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40480423
Try right click, run as administrator ;)
0
 

Author Comment

by:dvbguy1
ID: 40480430
yes it ask for credentials - but what to enter ?. administrator is disabled, and domain admin can also not be used, as the domain is not connected on the pc
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40480465
The solution is always to offline-enable the local admin account. This can be done only if the hard drive is accessible, that means after unlocking bitlocker. Simple steps:
1 boot win7/8.x setup
2 press shift F10 to get a command line
3 manage-bde -unlock c: -pw (please note that pw stands for password, which will not be present for win7 - here you will need -rk (recovery key), also, the drive letter (here c:) needs to be adapted)
4 rename c:\windows\system32\utilman.exe to utilman.bak and copy cmd.exe to utilman.exe (in the same directory)
5 reboot, press ctrl shift del and then click on the utilman symbol (lower left) - a command line will appear with system rights
6 use the command "net user administrator /active newpassword"
7 logon as administrator with newpassword
8 disjoin/rejoin domain
9 undo your utilman changes and disable the local admin again.

Proven solution.

But: since you deleted the computer object, it seems you don't have the bitlocker recovery key... how does the hard drive boot, what protector is used, tpm only?
0
 

Author Comment

by:dvbguy1
ID: 40480470
Yes - TPM
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40480495
Ok, TPM only without a PIN? That's bad for you.
If you don't have the recovery key and (what you should have done) no second backup but AD existed, then there are only 3 ways left:
-replay a backup (if existent) - it will be replayed unencrypted and everything will be good
-do a so-called "cold boot attack" on your tpm (youtube tells you what that is, it's somewhere next to what James Bond would do)
-if the system is not patched to the max and no firewall is active try to exploit its services via network to get access (that's experts'/pentesters' work)
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40481677
Ah, wait, years Active directory has introduced a recycle bin for objects, so you can maybe revive that computer object and with it, the Bitlocker recovery key. Has recycle bin been setup?
0
 

Author Comment

by:dvbguy1
ID: 40482325
hi,
You wrote
1 boot win7/8.x setup

with that you mean, to boot on windows 7 installation disc or ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40482336
Correct.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40493579
Could you unlock it? How did you end up?
0

Join & Write a Comment

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now