Solved

How to re-join domain, with no local administrator enabled

Posted on 2014-12-04
13
1,062 Views
Last Modified: 2014-12-11
Hi,

In a domain, all pc´s have disabled the local administrator account - and default users have no admin rights. (well, safe and fine)
But if then suddenly at logon the message : The trust relationship between this workstation and the primary domain failed

So - normally in old XP days a rejoin of the domain would fix it with a local admin account. But how to do this now ? Is there a way to create a local admin account so there can be logged in

By the way - the PC is running bitlocker, and bitlocker code for the computer can not be found, as the domain don´t see the pc anybore

So any suggestions please ?
0
Comment
Question by:dvbguy1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 36

Expert Comment

by:Kimputer
ID: 40480392
If a domain admin has logged on before, you can disconnect LAN, and reboot. You will still be able to login with the domain admin account.
If not, the Bitlocker is blocking the conventional methods (enable admin through boot cd), and I'm out of ideas.
0
 

Author Comment

by:dvbguy1
ID: 40480399
Admin newer login on computers - so there are nothing cached.
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40480405
You can try restore secure channel from powershell, but must be run as administrator:
Test-ComputerSecureChannel –Server *dc name* -Repair -Verbose
0
Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

 

Author Comment

by:dvbguy1
ID: 40480409
Local administrator disabled
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40480423
Try right click, run as administrator ;)
0
 

Author Comment

by:dvbguy1
ID: 40480430
yes it ask for credentials - but what to enter ?. administrator is disabled, and domain admin can also not be used, as the domain is not connected on the pc
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 40480465
The solution is always to offline-enable the local admin account. This can be done only if the hard drive is accessible, that means after unlocking bitlocker. Simple steps:
1 boot win7/8.x setup
2 press shift F10 to get a command line
3 manage-bde -unlock c: -pw (please note that pw stands for password, which will not be present for win7 - here you will need -rk (recovery key), also, the drive letter (here c:) needs to be adapted)
4 rename c:\windows\system32\utilman.exe to utilman.bak and copy cmd.exe to utilman.exe (in the same directory)
5 reboot, press ctrl shift del and then click on the utilman symbol (lower left) - a command line will appear with system rights
6 use the command "net user administrator /active newpassword"
7 logon as administrator with newpassword
8 disjoin/rejoin domain
9 undo your utilman changes and disable the local admin again.

Proven solution.

But: since you deleted the computer object, it seems you don't have the bitlocker recovery key... how does the hard drive boot, what protector is used, tpm only?
0
 

Author Comment

by:dvbguy1
ID: 40480470
Yes - TPM
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40480495
Ok, TPM only without a PIN? That's bad for you.
If you don't have the recovery key and (what you should have done) no second backup but AD existed, then there are only 3 ways left:
-replay a backup (if existent) - it will be replayed unencrypted and everything will be good
-do a so-called "cold boot attack" on your tpm (youtube tells you what that is, it's somewhere next to what James Bond would do)
-if the system is not patched to the max and no firewall is active try to exploit its services via network to get access (that's experts'/pentesters' work)
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40481677
Ah, wait, years Active directory has introduced a recycle bin for objects, so you can maybe revive that computer object and with it, the Bitlocker recovery key. Has recycle bin been setup?
0
 

Author Comment

by:dvbguy1
ID: 40482325
hi,
You wrote
1 boot win7/8.x setup

with that you mean, to boot on windows 7 installation disc or ?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40482336
Correct.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40493579
Could you unlock it? How did you end up?
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question