Lost admin rights both locally and in domain environment
Hi, I've run into quite the catch 22. My setup is very basic, I have a Windows 2003 Server R2 (AD) and a bunch of clients (all Windows 7 Professional) connected to it without issues. The other day I joined the domain on yet another client, rebooted the client (Windows 7 Pro x64) only to find out I could not log on locally at all (non-admin) nor did any of my Domain Admins actually have admin rights on the client itself. This is exactly what I did: 1. On the client I added one local admin account as well as a regular user. 2. I joined the AD domain with a regular Domain User on the server. 3. I added the regular Domain User in the local administrator group through a Domain Admin user. 4. The client asked me to reboot the system so I did. 5. Reaching the login screen I had no issues logging in as the regular Domain User (now in the local admin group). Everything was working fine and there were no issues reaching resources shared on the server. However, when trying to change a system setting it asked for a user with higher privilegies. So I tried to use a Domain Admin user, no luck. The odd thing was that it seemed to be client based as various local files (Windows\system32\systempropertiescomputername.exe, netplwiz.exe) responding with "The requested operation requires elevation". 6. As far as I know the local administrator account is locked when the client is joined to a domain but regular local accounts should be fine, or so I thought. After reaching the login screen after the first reboot it was not possible to login locally at all. I was greeted with "There are currently no logon servers available to service the logon request". After a second reboot later on, the system claimed the login info was invalid altogether. Logging in locally works fine on all other clients with COMPUTERNAME\localuser. So basically, I've lost local admin rights as well as domain admin rights on this particular client. Like with many Dell clients, I can't boot into safe mode and leave the domain. Is there something I can do besides re-installing Windows 7 on the client?
April 28th, 2011 3:14am

If you can't log on as the local Admin or the Domain Admin, you will have to re-format the computer. Simple as that. But before you do that, make sure that it's not connectivity problems that are preventing you logging on as Domain Admin. Obviously, the first time, the client needs to actually contact the DC to authenticate the user (credentials are cached after that).
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2011 3:35pm

Not true.. you can ALWAYS reset a local password to the local admin accout...even if disabled. You would have to get a ISO of a tool CD that has a password reset application. Hiren's BootCD is an example of such disk. There are others out there also. Basically, it boots into it's own OS (Linux usually) and gives you many programs that it can run. One of them is to Enable local accounts and to CLEAR passwords. This will NOT work for Domain Accounts, as Domain Accounts are controlled by the DOMAIN CONTROLLER. Also, this will not work for the Domain Controller as there are no local accounts that matter outside the domain. If you lost the Domain Admin password .. you're done.
June 16th, 2011 1:09pm

In fact, you're right, I forgot. You can download DaRT (Disaster and Recovery Toolkit) from Microsoft, at http://www.microsoft.com/windows/enterprise/products/mdop/dart.aspx With this you can create a recovery boot CD, including the "Locksmith" application, which will enable you to reset local passwords.
Free Windows Admin Tool Kit Click here and download it now
June 16th, 2011 2:43pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics