dvbguy1
asked on
How to re-join domain, with no local administrator enabled
Hi,
In a domain, all pc´s have disabled the local administrator account - and default users have no admin rights. (well, safe and fine)
But if then suddenly at logon the message : The trust relationship between this workstation and the primary domain failed
So - normally in old XP days a rejoin of the domain would fix it with a local admin account. But how to do this now ? Is there a way to create a local admin account so there can be logged in
By the way - the PC is running bitlocker, and bitlocker code for the computer can not be found, as the domain don´t see the pc anybore
So any suggestions please ?
In a domain, all pc´s have disabled the local administrator account - and default users have no admin rights. (well, safe and fine)
But if then suddenly at logon the message : The trust relationship between this workstation and the primary domain failed
So - normally in old XP days a rejoin of the domain would fix it with a local admin account. But how to do this now ? Is there a way to create a local admin account so there can be logged in
By the way - the PC is running bitlocker, and bitlocker code for the computer can not be found, as the domain don´t see the pc anybore
So any suggestions please ?
ASKER
Admin newer login on computers - so there are nothing cached.
You can try restore secure channel from powershell, but must be run as administrator:
Test-ComputerSecureChannel –Server *dc name* -Repair -Verbose
Test-ComputerSecureChannel
ASKER
Local administrator disabled
Try right click, run as administrator ;)
ASKER
yes it ask for credentials - but what to enter ?. administrator is disabled, and domain admin can also not be used, as the domain is not connected on the pc
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes - TPM
Ok, TPM only without a PIN? That's bad for you.
If you don't have the recovery key and (what you should have done) no second backup but AD existed, then there are only 3 ways left:
-replay a backup (if existent) - it will be replayed unencrypted and everything will be good
-do a so-called "cold boot attack" on your tpm (youtube tells you what that is, it's somewhere next to what James Bond would do)
-if the system is not patched to the max and no firewall is active try to exploit its services via network to get access (that's experts'/pentesters' work)
If you don't have the recovery key and (what you should have done) no second backup but AD existed, then there are only 3 ways left:
-replay a backup (if existent) - it will be replayed unencrypted and everything will be good
-do a so-called "cold boot attack" on your tpm (youtube tells you what that is, it's somewhere next to what James Bond would do)
-if the system is not patched to the max and no firewall is active try to exploit its services via network to get access (that's experts'/pentesters' work)
Ah, wait, years Active directory has introduced a recycle bin for objects, so you can maybe revive that computer object and with it, the Bitlocker recovery key. Has recycle bin been setup?
ASKER
hi,
You wrote
1 boot win7/8.x setup
with that you mean, to boot on windows 7 installation disc or ?
You wrote
1 boot win7/8.x setup
with that you mean, to boot on windows 7 installation disc or ?
Correct.
Could you unlock it? How did you end up?
If not, the Bitlocker is blocking the conventional methods (enable admin through boot cd), and I'm out of ideas.