rgmckenz
asked on
Windows 10 computer with only Azure AD credentials to Office 365 tenant / AD user account missing and user can't login
I haven't seen this one before and since the user is remote, I thought I put it out there to see if anyone can provide a solution. I have a user with a Surface Pro 4 running Windows 10. The company has no local domain, so each computer logs in using their Office 365 / Azure AD account: <username>@<companydomain> .com. Has worked fine for months, but all of the sudden, the user could no longer login to the Surface Pro. He is prompted with his full name for login, which looks like a local userid (not the Azure AD login), but none of his passwords work. There are no other user accounts appearing on the screen to the lower-left, and no option for "other user" logins. Only the wireless, accessibility and shutdown icons on the bottom-right of the screen.
So, what happened? Did he lose domain affiliation with the Microsoft Office 365 or Azure AD? If he has no active accounts other than the Azure account he first connected with, how is he able to login? I can't really just wipe him out and restart factory fresh, as he has programs and data on the Surface Pro he needs. Is there a way to activate the Administrator account to get in and fix the problem, and if so, how do you fix the problem? Thanks ahead for your assistance!
So, what happened? Did he lose domain affiliation with the Microsoft Office 365 or Azure AD? If he has no active accounts other than the Azure account he first connected with, how is he able to login? I can't really just wipe him out and restart factory fresh, as he has programs and data on the Surface Pro he needs. Is there a way to activate the Administrator account to get in and fix the problem, and if so, how do you fix the problem? Thanks ahead for your assistance!
ASKER
Thanks for the quick reply, McKnife! I created a boot USB for a test Surface Pro 4 (so that I can write some instructions for the remote user to recreate, if successful). However, after creating the boot Linux USB and attempting to boot to it on the Surface, it won't load and goes to a Windows 10 login screen. Other ideas?
That's because the surface is configured for secure boot. S.b. is a security functionality in the uefi config (formerly called bios). Try to turn it off.
ASKER
Some more information. This Surface Pro 4 is Secure Boot and Bitlocker protected. I have the Bitlocker key and I have disabled Secure Boot, but am still having trouble getting the test unit to boot the Linux USB properly. Frustrating to say the least. I've changed the BIOS boot sequence to boot temporarily from the USB directly, but still no go. As a test, I tried to boot to a USB flash drive with Windows 10 on it (a known good boot disk), but it refuses to boot to that either. Loving Windows 10 - NOT! It used to be so easy with other Windows operating systems, but the security was lax. Now it is a PITA for the hacks, but even more so for the Admins!
Not sure where I go from here, except to an official crack util for Windows 10 and/or maybe a CD-ROM version of the boot.
Not sure where I go from here, except to an official crack util for Windows 10 and/or maybe a CD-ROM version of the boot.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks - I'll work on that when the unit arrives at my office. I had them ship it up here so I could work on it in person. I want to do some forensics and see why the original Azure AD account or domain affiliation went away to begin with. To be continued.......
ASKER
OK, I received the Surface Pro back. I attempted every method to boot to a USB stick or external CD-ROM drive, but was thwarted every time. Finally, here's what I did:
At the login screen, I restarted while holding down the Shift key to get into the troubleshooting options screen. From there under Advanced Options, I selected Command Prompt. After booting into a Bitdefender disable screen (where you have to type the huge Bitdefender key), I got to the Command Prompt. From there, I activated the local Administrator account by typing:
net user administrator /active:yes
After that, I exited Command Prompt and got back to the Troubleshooting screen again. This time, I set it up to reboot in Safe Mode. After another Bitlocker unlock screen, it logged into Safe Mode using the Administrator account (which had no password). I assigned a password to the account and rebooted into Normal Mode. I was then able to login as the Local Administrator. I created a recovery user account and assigned it to the local Administrators group. I then signed in as the recovery user account. From there, I went into Windows 10 Settings - System - About and rejoined the Azure AD domain as the original user's corporate account. I rebooted after it was completed, then clicked on Other User on the login screen and logged in as the user's corporate Azure AD account (email address and AD password). Finally, it was back - original profile and all!
Now, I've learned one important lesson. NEVER join a new computer directly to an Azure AD without first activating the Administrator account or at least creating some kind of local recovery account. I don't want to go through that process again! Hopefully, this helps someone else. Thanks to McKnife for pointing me in the right direction. Wish I could have booted the Surface Pro into a USB device instead, but I got tired of fighting it.
At the login screen, I restarted while holding down the Shift key to get into the troubleshooting options screen. From there under Advanced Options, I selected Command Prompt. After booting into a Bitdefender disable screen (where you have to type the huge Bitdefender key), I got to the Command Prompt. From there, I activated the local Administrator account by typing:
net user administrator /active:yes
After that, I exited Command Prompt and got back to the Troubleshooting screen again. This time, I set it up to reboot in Safe Mode. After another Bitlocker unlock screen, it logged into Safe Mode using the Administrator account (which had no password). I assigned a password to the account and rebooted into Normal Mode. I was then able to login as the Local Administrator. I created a recovery user account and assigned it to the local Administrators group. I then signed in as the recovery user account. From there, I went into Windows 10 Settings - System - About and rejoined the Azure AD domain as the original user's corporate account. I rebooted after it was completed, then clicked on Other User on the login screen and logged in as the user's corporate Azure AD account (email address and AD password). Finally, it was back - original profile and all!
Now, I've learned one important lesson. NEVER join a new computer directly to an Azure AD without first activating the Administrator account or at least creating some kind of local recovery account. I don't want to go through that process again! Hopefully, this helps someone else. Thanks to McKnife for pointing me in the right direction. Wish I could have booted the Surface Pro into a USB device instead, but I got tired of fighting it.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for rgmckenz's comment #a41557261
Assisted answer: 500 points for McKnife's comment #a41555270
for the following reason:
Couldn't go with the contributor's solution because of problems with this particular Surface Pro, but it pointed me in the right direction to eventually find a workaround to the original problem.
Accepted answer: 0 points for rgmckenz's comment #a41557261
Assisted answer: 500 points for McKnife's comment #a41555270
for the following reason:
Couldn't go with the contributor's solution because of problems with this particular Surface Pro, but it pointed me in the right direction to eventually find a workaround to the original problem.
Oh... you are missing one very important thing.
No one can enable the local administrator like that. What you did, had no influence on the local administrator. The command prompt you talk about has no connection to the local account database, it is just within the recovery environment/WinPE.
So if this "worked", it is because the local administrator was active all the time and had a blank password.
No one can enable the local administrator like that. What you did, had no influence on the local administrator. The command prompt you talk about has no connection to the local account database, it is just within the recovery environment/WinPE.
So if this "worked", it is because the local administrator was active all the time and had a blank password.
ASKER
McKnife, Excellent point! I should have known better, but was probably driven to insanity trying to get this thing to boot to a USB device (or was made dizzy by entering the Bitlocker key too many times). However, that presents another mystery. I had 17 original Surface Pro 4 units with Windows 10. All of them were joined directly to the company's Azure AD at setup time, with the user's Azure AD account as the only active account. When I logged into a couple of the working Surface Pro 4 tablets, both the Administrator and Guest accounts (and the OS DefaultAccount) were disabled by default, as they should be. All initial configurations were identical, other than the Azure AD user account used to login.
So, I ran through the same procedure to attempt to activate the local Administrator account from the boot command prompt, and as you said, it does not enable the local Administrator for the computer itself, just the one in the recovery environment. Verified that after logging in as the user. I then tried to login in Safe Mode to see if Administrator was an option, but it presented me with the only active account on the test tablet - the Azure AD user.
Given that facts, what could have happened on that original Surface Pro to activate the Administrator account and get me back in business? Couple of thoughts.....please give me your opinion or contribute other possibilities:
1) the user manually enabled the local Administrator account at some point
2) a rogue program, virus or hacker enabled the local Administrator account
3) since there were no valid accounts left after the Azure AD trust was broken, Windows 10 allowed a Safe Mode Administrator login and activated the account with a blank password
That's about all I can think of. The user in this case most likely did not activate the account on their own. What am I missing? It's probably something really obvious and I'm just too thick to figure it out. Thanks again for your assistance - this is becoming a real education on Windows 10.
So, I ran through the same procedure to attempt to activate the local Administrator account from the boot command prompt, and as you said, it does not enable the local Administrator for the computer itself, just the one in the recovery environment. Verified that after logging in as the user. I then tried to login in Safe Mode to see if Administrator was an option, but it presented me with the only active account on the test tablet - the Azure AD user.
Given that facts, what could have happened on that original Surface Pro to activate the Administrator account and get me back in business? Couple of thoughts.....please give me your opinion or contribute other possibilities:
1) the user manually enabled the local Administrator account at some point
2) a rogue program, virus or hacker enabled the local Administrator account
3) since there were no valid accounts left after the Azure AD trust was broken, Windows 10 allowed a Safe Mode Administrator login and activated the account with a blank password
That's about all I can think of. The user in this case most likely did not activate the account on their own. What am I missing? It's probably something really obvious and I'm just too thick to figure it out. Thanks again for your assistance - this is becoming a real education on Windows 10.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent points again. I don't think I've ever had a case where I have lost all users, both local and domain at once booting into safe mode and using the local administrator account is definitely the shortest path to getting this type of problem resolved. Kudos to you, awesome advice. thanks for setting me straight!
You are welcome.
Last thing: if a device is still joined to the domain but the domain trust is lost ("the trust relationship between this workstation and primary domain failed"), then safe mode will not help you, you won't get in. In that case, we need to re-establish the trust by resetting the machine password. It's a "hack" similar to the utilman hack I linked earlier. At the point where we have a command prompt (following that link), we have to use this command:
Last thing: if a device is still joined to the domain but the domain trust is lost ("the trust relationship between this workstation and primary domain failed"), then safe mode will not help you, you won't get in. In that case, we need to re-establish the trust by resetting the machine password. It's a "hack" similar to the utilman hack I linked earlier. At the point where we have a command prompt (following that link), we have to use this command:
powershell Reset-ComputerMachinePassword
And reboot.
About joining the AD domain: no experience here, ask the person that joined it.