Laptop domain trust issue

I have a Windows 8 (not 8.1) laptop that cannot logon to the domain anymore because of a database trust relationship issue with the server (2012R2).

I cannot rejoin the domain as there are no local admins on the laptop. I can only login to the laptop when network is disabled.

But even when I login to the laptop with the server admin account it won't work, it says I don't have the admin rights to remove the computer from the domain.

I tried resetting the local admin acount with Offline NT password but no luck there. I tried to do a system restore but it cannot find any restore points. Am I really that screwed that I have to reinstall the laptop?
IT MeetjeslandAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
If you don't have access or can't get access to a local admin account then a full reinstall or a restore from a known good backup will be required.
Joseph MoodyBlogger and wearer of all hats.Commented:
If you can login as the server admin account with network access, launch powershell and see if you can use the command:

Reset-ComputerMachinePassword -Server YOURDOMAINCONTROLLER -Credential Domain01\Admin01
Zac HarrisSystems Administrator Commented:
No, you should be able to re-enable the local administrator account (this is disabled when you create another account with admin rights at setup or also with group policy)

You have several options on how to re-enable the admin account:

Press the Windows key to open the metro interface and then type command prompt in the search box. Next, right-click on command prompt and Run it as administrator. Copy this code net user administrator /active:yes and paste it in the command prompt. Then, press Enter to enable your built-in administrator account.


Boot from your Windows 8 installation DVD or Thumb Drive. Then press Shift + F10 when you are at the Install Windows screen. The elevated command prompt at boot will now open.

Then, in the command prompt, type regedit and press Enter.
In the left pane of Registry Editor, click/tap on the HKEY_LOCAL_MACHINE key.
Click/tap on File (menu bar) and on Load Hive.
Open the drive (ex: D ) that you have Windows 8 installed on, and browse to the location D:\Windows\System32\config (You need to know what drive windows is installed on, usually C:\)
Select the SAM file, and click/tap on Open.
In the Load Hive dialog, type REM_SAM and click/tap on OK.
In the left of Registry Editor, navigate to and open the key HKEY_LOCAL_MACHINE\REM_SAM\SAM\Domains\Accounts\Users\000001F4
In the right pane of 000001F4, double click/tap on F to modify it.
In the 2nd column and 8th row, change 11 to 10, click/tap on OK,
Close Registry Editor and the command prompt.
Click/tap on Continue to Windows 8, or restart the computer.
The built-in Administrator will now be available to select to sign into.


Press the Windows + R keys to open the Run dialog, type lusrmgr.msc and click/tap on OK
In the left pane, click/tap on the Users folder, then in the middle pane, double click/tap on Administrator.
Uncheck the Account is disabled box, click/tap on OK.
Close the Local Users and Groups window.
The built-in Administrator will now be available to select to sign into.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

noxchoGlobal Support CoordinatorCommented:
Right click on My Computer once you are logged in under any account in Windows 8.1 then select Manage - then Users and Groups and enable the Administrator account.
Login using this account - kick the machine out of domain and readd it. Restart and login using domain account.
Zac HarrisSystems Administrator Commented:
Only one problem with noxcho's solution... you can't just re-add the machine to the domain using any account. The account has to either be a domain admin account on the domain or the account has to be a domain account with domain import privileges.

Apologies if that was implied it wasn't clear... :)
noxchoGlobal Support CoordinatorCommented:
Once he tries to readd or kick out the machine to from domain he will be requested for domain account :)
Zac HarrisSystems Administrator Commented:
Don't forget to check the domain controller to ensure the object actually get deleted when you drop from the domain. I've had computers with trust issues before where the system dropped but the object remained. It can cause all kinds of group policy and SID issues.
Zac HarrisSystems Administrator Commented:
Especially if you want to keep the same machine name.
IT MeetjeslandAuthor Commented:
Thanks Zac Harris! Editing the SAM file work like a charm! :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.