Solved

How to re-join domain, with no local administrator enabled

Posted on 2014-12-04
13
714 Views
Last Modified: 2014-12-11
Hi,

In a domain, all pc´s have disabled the local administrator account - and default users have no admin rights. (well, safe and fine)
But if then suddenly at logon the message : The trust relationship between this workstation and the primary domain failed

So - normally in old XP days a rejoin of the domain would fix it with a local admin account. But how to do this now ? Is there a way to create a local admin account so there can be logged in

By the way - the PC is running bitlocker, and bitlocker code for the computer can not be found, as the domain don´t see the pc anybore

So any suggestions please ?
0
Comment
Question by:dvbguy1
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 40480392
If a domain admin has logged on before, you can disconnect LAN, and reboot. You will still be able to login with the domain admin account.
If not, the Bitlocker is blocking the conventional methods (enable admin through boot cd), and I'm out of ideas.
0
 

Author Comment

by:dvbguy1
ID: 40480399
Admin newer login on computers - so there are nothing cached.
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40480405
You can try restore secure channel from powershell, but must be run as administrator:
Test-ComputerSecureChannel –Server *dc name* -Repair -Verbose
0
 

Author Comment

by:dvbguy1
ID: 40480409
Local administrator disabled
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40480423
Try right click, run as administrator ;)
0
 

Author Comment

by:dvbguy1
ID: 40480430
yes it ask for credentials - but what to enter ?. administrator is disabled, and domain admin can also not be used, as the domain is not connected on the pc
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40480465
The solution is always to offline-enable the local admin account. This can be done only if the hard drive is accessible, that means after unlocking bitlocker. Simple steps:
1 boot win7/8.x setup
2 press shift F10 to get a command line
3 manage-bde -unlock c: -pw (please note that pw stands for password, which will not be present for win7 - here you will need -rk (recovery key), also, the drive letter (here c:) needs to be adapted)
4 rename c:\windows\system32\utilman.exe to utilman.bak and copy cmd.exe to utilman.exe (in the same directory)
5 reboot, press ctrl shift del and then click on the utilman symbol (lower left) - a command line will appear with system rights
6 use the command "net user administrator /active newpassword"
7 logon as administrator with newpassword
8 disjoin/rejoin domain
9 undo your utilman changes and disable the local admin again.

Proven solution.

But: since you deleted the computer object, it seems you don't have the bitlocker recovery key... how does the hard drive boot, what protector is used, tpm only?
0
 

Author Comment

by:dvbguy1
ID: 40480470
Yes - TPM
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40480495
Ok, TPM only without a PIN? That's bad for you.
If you don't have the recovery key and (what you should have done) no second backup but AD existed, then there are only 3 ways left:
-replay a backup (if existent) - it will be replayed unencrypted and everything will be good
-do a so-called "cold boot attack" on your tpm (youtube tells you what that is, it's somewhere next to what James Bond would do)
-if the system is not patched to the max and no firewall is active try to exploit its services via network to get access (that's experts'/pentesters' work)
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40481677
Ah, wait, years Active directory has introduced a recycle bin for objects, so you can maybe revive that computer object and with it, the Bitlocker recovery key. Has recycle bin been setup?
0
 

Author Comment

by:dvbguy1
ID: 40482325
hi,
You wrote
1 boot win7/8.x setup

with that you mean, to boot on windows 7 installation disc or ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40482336
Correct.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40493579
Could you unlock it? How did you end up?
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now