General discussion

Locked

Cant logon locally or onto AD

By Scott R ·
I only have an administrator account on a server that used to be joined to a win2k active directory domain controller. I did something wrong and now its no longer a member of the domain and I can't logon locally because the policies of the local box won't allow me too. Esentially I can't figure out a way to log on at all to fix this. Any ideas? Is there a way to make that machine a member of the AD domain remotely?

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Cant logon locally or onto AD

by cul8rm8e In reply to Cant logon locally or ont ...

As you have removed the server from the domain your administrator account will be unknown to the local server,what you have to do is logon with the local administrator and pass, this is obviously the user /pass used when the installation took place.
If by chance you installed this through RIS and havent logged on as such to the server as local administrator up until the point you removed it from the Domain then you will be able to log on locally as administrator and a blank pass.if this is the case logon on locally and make sure the first ting you do is delete the profile(unknown) from the machine before you join Domain.

good luck!

Collapse -

Cant logon locally or onto AD

by Scott R In reply to Cant logon locally or ont ...

By logging on locally, I mean on the local box with the local admin name and password. I can't even do that because the policy settings won't allow me to log on interactively. So, I cant logon to the server or the local machine with either account.

Collapse -

Cant logon locally or onto AD

by cul8rm8e In reply to Cant logon locally or ont ...

Ok,were you logged on as LOCAL adminstrator on the client machine when you removed it from the DOMAIN or logged onto the domain with DOMAIN ADMIN rights? or in another case a simple domain user which at this point you would have been asked for user/pass of an account with the right to remove machine from the DOMAIN ie:DOMAIN ADMIN,
if it was first scenario then you would have been prompted to reboot machine (at this point notified that your computer is now a member of workgroup ie:default to WORKGROUP) and all DOMAIN user profiles on that machine would have been in an (unknown) state at this point you should withought any problem been able to log onto the client machine with the (local)admin account on that machine ie:user/pass when installation took place.
BUT! if you were logged onto the domain at the point of removing that machine from the domain again you need the rights to remove it from the DOMAIN ie:domain admin,enterprise admin ......at this point you would then have to refresh your machine policy and user policy on the DC to update security policy which is why you wouldnt be able to logon locally because! the machine you removed from the domain is in a disabled state until it is physically removed from (active directory users and cmputers)in computers container.
SO!if this was the case then remove it and refresh policy for machine and user at the command prompt! secedit /refreshpolicy machine_policy /enforce
also secedit /refreshpolicy user_policy /enforceremember to refresh only after removing the client from computers container!

still got problems? post back

Collapse -

Cant logon locally or onto AD

by Scott R In reply to Cant logon locally or ont ...

Ok, heres exactly what happend:
I was logged on the domain on the member server as a domain admin. The member server was a part of the domain and working great. I did something that caused the member server to crash hard causing me to reinstall the OS. I named it the same as what it was before hoping that I could just leave the same computer in the AD without having to do anything with it. I rejoined it to the domain and it worked. Then I noticed some problems with it communicating to thead server (at least thats what I thought). So, on the ad server I right clicked on the computer in the ad directory and selected "Reset Account". I was logged out of the member server at the time. Now when I try to log back into the member serverwith Administrator for the name and my ad server as the domain, it says "The system cannot log you on to this domain because the systems computer account in its primary domain is missing or the password on that account is incorrect". And when I loginto the member server as Administrator and Local machine as the "log on to" It says "The local policy of this system does not permit you to logon interactively". That part has always been like that but I just ignored it because I was logging on asa domain admin to the member server. So I can't log into the member server at all to rejoin it to the domain or anything. Im essentially locked out. I hope this sums it up. Thanks for bearing with me.

Collapse -

Cant logon locally or onto AD

by BeerMonster In reply to Cant logon locally or ont ...

Hi,
I don't have time to test this with the interactive login policy set, but here's what I'd do.

get a win2k that you can log in to, from that box go to start \ run and type

\\nameoftheproblemserver\c$

After a short period, a box requesting user credentials should appear. If after typing in the admin account of the problem server a window opens showing the contents of the C: drive then you should be in business! What we have done is create an initial connection to the problem server using the admin context, basically that means any interaction between you and the problem server from the second machine will take place as the problem machine admin!

now on the second box go to start \ run and type mmc this will open up a management console. Select file \ add remove snap in. On the box that opens select add and in the next box select group policy. IMPORTANT a box will display with the name of the machine you are on, select the browse button below it, and on the next paneselect 'another computer' - then type in the name of the problem server. All being well the gpo from the remote machine will be displayed. You're not out of the woods yet though! as it is a remote machine,portions of the GPO will not be displayed, including the bit you need to get to !! what you will see though is that you can now add a startup script to the computer object Now bear with me, as we now have to do something else....

Collapse -

Cant logon locally or onto AD

by BeerMonster In reply to Cant logon locally or ont ...

open notepad, and add the following

secedit /configure /cfg %windir% \repair\secsetup.inf /db secsetup.sdb

(all one line)

save the file as security.cmd - the file icon should change to a batch file icon (sorry if some of this is a bit obvious but I don't know how much of this you've seen before). Now add that batch file as a start up script on your problem server, and reboot it. What should happen is that secedit will reset all of the system security to the defaults, and allow you access. bear in mind that when you rejoin your machine to the domain, the domain policies will be applied and your machine will be locked down once again. I'd try this on a test box to make sure you are happy with it! Hope this helps...

Hope this helps...

Collapse -

Cant logon locally or onto AD

by Scott R In reply to Cant logon locally or ont ...

I tried to open it up with the start/run method to connect to the machine, but I get a "The trust relationship between this workstation and the primary domain failed" error. It's the same thing with the mmc. I think at this point im going to reinstall windows.

Collapse -

Cant logon locally or onto AD

by Scott R In reply to Cant logon locally or ont ...

This question was closed by the author

Back to Windows Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums