asked on
login problem after disjoin domain
after disjoining domain , cant see local administrator to login locally and showing network account ( which used to join domain)
ASKER
I set up a new Windows 10 pc with "user" as the local account in the set up process. After installing all the needed software, I added it to our domain with our domain admin account. I then removed the pc from the domain and deleted the pc from AD (duplicate pc names, my error). Now when I boot up the pc, it only lists our domain admin account as the username (no other option), but it isn't accepting the domain pwd for that account.
How do I get back on this pc?
ASKER
The relevant part can be found when you search for activate.bat
It describes how to use built-in methods.
ASKER
just want to log in as locally on workgroup after disjoining domain
but local admin account is not showing , even after creating local account by command prompt , that also not showing
only shows domain network account which used to join domain
ASKER
the disjoin process removes access to the Domain and any accounts tied to the domain are not available.
The prior experts try to provide you with information.
Are you currently logged into the system Locally? Is the Account administrative
if you are logged in, you can run the command
net localgroup administrators
to see which account the system has that has administrative rights.
Often, domain joined systems have a GPO restricted groups that limits which accounts can be part of the local/builtin administrators group.
I.e. while you setup the system as techp and then joined the domain, techp might be still available to login locally, but the user account lacks administrative rights.
The options available to you is the forgot system password.
Deals with booting the system and going through a procedure to grant the local existing account administative rights, add a new administrative account ,etc.
It seems you've not taken the suggestions made earlier as they were offered, let me know if you are looking to proceed on this path or whether you want to wait for another option.
ASKER
Above link describes problem...but solution in the link didn't work....also comments here didn't work
ASKER
while booting only showing domain account which used to join domain and there is no option to select other user
by command prompt added other accounts with admin rights , but still cant see any option to select other account while login
and also tried to reset password using password reset tool , but it shows only username administrator on sam data
and not domain account which used to join domain
please see above link mentioned in last comment , but solution didnt work
when you are at the login, screen. hold down the left ctrl and shift keys while you select the power/restart option.
the system should prompt what mode you want, start the system in safe mode.
login as administrator (ctrl-alt-del)
add another administrative user
net user /add <mynewuser> *
provide a password
net localgroup /add administrators <mynewuser>
reboot into normal mode, login as <mynewuser>
rejoin the domain if that is the intent.
Failing that, you need to use a Bootable USB to adjust your setup "Forgot Password" method
note when implementing this, utilman fix, you have to boot the system in safe mode again.
Done forget to reverse the utilman bypass.
Try this:
Username: .\local user name
Password: local user password
If you even can't fill in the user name, press Ctrl+Alt+Del
Another attempt might be disconnecting the computer from the network, then reboot and see if it makes any difference.
ASKER
Please read link on my last to last comment
Does the original local user belong to the Administrators group and does it have a password set?
Since this is a new installation and if you have already spent on this more than 2+ hours, I would reload the system. You will save time for more important tasks.
ASKER
It is common problem...not 1 computer
Another attempt might be disconnecting the computer from the network, then reboot and see if it makes any difference? Does the original local user belong to the Administrators group and does it have a password set?
You didn't mention that more computers are affected. Then I would recreate the reference installation media the next time you install the computer. The problem might be there.
ASKER
Secedit /configure/cfg windows\inf\defltbase.INF /db defltbase.sdb /verbose
Can someone reply exact full command with spaces for above
What started you on this path?
ASKER
Still not yet solved
I can't see local users except domain network account which used to disjoin after disjoining
Read below
https://community.spiceworks.com/topic/2023490-removed-from-domain-now-i-can-t-login
net user
C:\users does not reflect users who have access.
What was the issue you tried to resolve that you disjointed from the domain.
Can you confirm you really disjoined by looking at advances system settings computer name?
The account with which you are.logging in does it have admin rights? Have ypu rejoined the domain, is that your intent?
ASKER
Does the system on the login screen in the bottom left reflect available user logins??
The other possibility, was this system configured to auto login on boot? While you disjoined the system from the domain, the configuration to auto-login might still be in place.
Since it seems you can login using a local user account, if it is an administrative account, you can check and if needed stop the autologon configuration.
It is unclear what the reason for the disjoin, and what the issues you are trying to resolve. you are not providing a full picture of what you are dealing with or what led to this situation.
To find a way out, one need to know where one is headed, it is all dark from this thread, no light that could point to a way out.
It is suggestion based on inferences, and interpretations .......
"Even created new local user with admin permission by using command prompt" - only when already logged on, you can create users, so may I ask, how you logged on in the first place? The utilman hack, as suggested by Arnold, grants access to a command prompt right at the logon screen - did you do it that way?
Anyway, you would solve this by activating the local administrator account "administrator". I linked how to do that and you refused to try it since you thought this tutorial does not apply to your situation - but it does, the part after "activation.bat" does.
ASKER
as told (only when already logged on, you can create users) not correct , restarted by pressing shift , then got option of troubleshooting , it showed username administrator ( not normal login screen , you can see by press shift restart and advanced menu to troubleshoot) , the password worked , then from command prompt created new users ...
main issue is to show other users on login page.....if it shows it can login with local admin and do everything
https://community.spiceworks.com/topic/2023490-removed-from-domain-now-i-can-t-login
solution provided by above link didnt work
Are you required to hit ctrl-alt-del to get to he login screen?
At times you have to work with what you have.
It sounds as through when the computer was joined to the Domain, the local policy for login was changed to a different view.
since you created a username, have you tried using the spicework link's example at the login prompt disregard what is there and enter the username you created and the password.
erase anything in the username,or select other/switch as the case may be. There has to be an option on the login screen that you do not want to use the presented user, but would rather login as someone else.
At this point, you should get a blank username prompt.
Use the username/password you created.
Are you able to login?
if you are able to login, and then logout, is the new username listed on reboot?
If it is, is your issue solved?
If you want the login screen to offer buttons of local users, or listed in the bottom left, (I think it will limit the display to three or four)...
once you have access, is the issue resolved?
ASKER
no other option , like other user means no other option .....enter password ....left corner nothing...right corner to shutdown and restart
means 1) either enter password ( this case password wont work because it is domain account which used to join/disjoin domain)
2) select shift restart and troubleshoot menu ....even safe mode cant go because need to login....command prompt is working ,,,,showing 2 user names 1) administrator and password for same domain account which is showing login screen 2) new user created by command prompt
but cant use computer only for command prompt
i am checking option to display other users on login screen so that computer can login locally
followed steps mentioned on above spiceworks link , but not working
There is either an other box, or there is a switch button option below the password/forgot/reset password option.
Something to select another login credential, has to be an option.
I linked what to do:
The solution is to boot to the command prompt in WinRE and activate the local administrator account.
To make this easier, you can save the following lines to activate.bat on a USB drive:
reg load HKLM\TEMP c:\windows\system32\config\sam
for /f "tokens=3" %%a in ('reg query HKLM\TEMP\SAM\Domains\Account\Users\000001F4 /v F') do set str=%%a
set str=%str:2000011=2000010%
reg add HKLM\TEMP\SAM\Domains\Account\Users\000001F4 /v F /t REG_BINARY /d %str% /f
reg unload HKLM\TEMP
This script activates the local administrator account. If you know its password, you are good to go now
Hi techp, It appears as though some very good advice has been suggested and I can only add, IF this is a recurring issue with multiple computers, created during a system Image deployment or "Load" process, then it may be a VERY good idea to revisit the 'Drawing board' on that workflow. If the 'Best Practice' steps are 1, 2, 3, 4, etc. and by some means what is happening for you is actually this sequence: 1, 3, 2, 4... then these systems are ending up "broken" as a normal impact of missed steps or an overly enthusiastic approach to producing more "fresh" assets ready to be deployed and joined to the Network at each user's desk, I have seen this before and MAY HAVE participated in it myself... at one time. Revisit, consult a third-party (if necessary) and consider if the Steps may be reorganized in a "better" way.
Forget this "busted" one! Nuke it. Start over. ... (Wish I was there to assist with this in person!)
ASKER
see attachment after disjoining domain
only option...enter password ...shutdown or restart
disjoin-screen.docx
ASKER
it happened because domain migrated with high security
only end user tech suffer when they do something for troubleshooting , so disjoined , after that it cant login or join again
This is a surface?
Your best bet is to boot using an external USB and look through the utilman process.
I have not seen a login, that only allows one user to login including disabling the switch/other option.
do you have data on this device that you need to pull/retrieve?
if not, I think you can while holding the left shift,control restart and restore the thing to factory default" and go from there.
Are the domain systems also have this single logon option?
use GPMC and group policy results to see what and where the restrictions come from.
In the future, before you disjoin a system from the domain, make sure there is a local administrative account. then login using the local administrative account, and disjoin from the domain.
ASKER
there are 1000s of desktop computers in domain , now whichever disjoin , it will show like my last comment
it might be some security policy which i want to edit using registry
even used password reset tool to reset password , it searched sam , but as the account is domain account it is not showing
Was this a change of the "internal" Enterprise network Domain, such as going from "TekMarket" (.com) to "TekRevue" (.com)? And, was there an "upgrade" of the Domain's controllers from Windows Server XXXX to Windows Server YYYY?
Some research on that type of migration DOES point to potential problems or issues that may occur, and maybe the following Microsoft Support article will "point to" some similarities in the situation being encountered.
Client, service, and program issues can occur if you change security settings and user rights assignments
This is quite an old article, as far as I can determine but, it is also nicely detailed and so MAYBE there will be some "guidance" of use within it.
If you are able to disclose the 'Scope' of the past (recent?) migration, I think 'better' advice and guidance may be located -- or other informed opinions of eXperts will come out.
NOTE: Kudos and compliments to McKnife for their "activate.bat" script, that appears to be VERY powerful, highly knowledgeable information!
ASKER
after ruuning batch file also , not working , coming same username (which used to join domain) on login and password not working and so not able to login
Pause
at the end of the activate.bat script, let it run again and make a photo of the paused command line showing all actions (resize the window if needed) and upload it.
ASKER
main thing to find out is
how to show other user on login screen
currently only one domain user is showing and no option to select any other user even though if go troubleshooting menu on command prompt---net user...it can see local users names
even after activate it doesnt show
Hi Techp. Seems you've got a tricky problem here and my fellow experts have tried too offer advice that you've largely rejected.
Maybe it's worth taking a new approach: Instead of looking at a machine with the issue try looking at working machines still on the domain.
My guess, which has also been alluded to by the other experts is that there are some policies on the domain that remove certain local admin accounts and possibly create a default account. it may also set a password.
Look at other similar machines and take a good look through their group policy (best using the gpresult command to do it offline.)
Look for any settings that change the default logon, limit user accounts or modify the administrators.
May I ask, exactly what prompts are showing on the screen? If any appear as pre-populated options in the log-on field? (Leaning towards the idea 'localhostName\<administrator>' is the thing I recall using but, I am not finding the "simple" Microsoft Support document on this topic.)
The exact details of what is seen are helpful in determining what is happening. Thanks!