none
Locked out local admin and script not working RRS feed

  • Question

  • Hello all,

    First I have to update you more about why I believe I have big problem.

    I configured and using successfully MDT in combination with WDS. I already created my W7 x64 image and deployed it several times succesfully. I want to add one more image for engineers who have a completely different system of W7 and using x86 platform. I live in Holland and the people who use this are in France. So I created a base for them and the pilot person is testing it. Because of pressure from management I have to deploy these laptops very soon for several good reasons. The communication is poor so I don't got feedback about their changes to the system. I need these changes to alter my MDT environment for this specific laptop. Because I run out of time I am forced to deploy it the dirty way so I will capture this laptop and save the image to use it in WDS. Normally I would make my changes to MDT, recreate the image, capture it and deploy it via WDS. Now I don't know the changes so this laptop may not be screwed up. It was a member of the domain. I cannot sysyprep it (litetouch.wsf via MDT) while it is a member of the domain so I demoted the workstation to a workgroup.

    Here it comes: because of domain GPO the built-in administrator is disabled, a local user is created and made member of the local administrators group. somehow this is not working anymore. The situation I have now is: the local user is created but NOT member of the local administrator group and the built-in administrator is disabled. Also the laptop is in a workgroup now. I cannot do things where you need administrator rights for.

    For example when I run the cscript \\fqdn_of_server\deploymentshare$\litetouch.wsf it runs but is failing in the section where it is 'Validating connection to' and then it names the hostname of the server instead fqdn. I tried to run it from IP address and from mapping but is givesw me the same result. I can browse to the deploymentshare$ share so I am getting mental about this. Maybe the fqdn is not the real problem because I am not in administrator mode/rights and will get into other errors if I get pass the fqdn problem.

    What to do now? I really need to capture this laptop without a risk to screw it up and loosing the installed applications and more.

    Thursday, June 13, 2013 4:41 PM

Answers

  • google search for ntpasswd.  It is a linux boot cd that will enable and set the local admin account.  So, enable the account, give it a password, reboot the computer and login as local admin.  Do whatever you need, and sysprep and caputer the machine.  When the system is deployed to laptops, Group policy will take affect again disabling the local admin account.
    • Marked as answer by John Doe313 Monday, June 17, 2013 8:25 AM
    Friday, June 14, 2013 8:24 PM

All replies

  • google search for ntpasswd.  It is a linux boot cd that will enable and set the local admin account.  So, enable the account, give it a password, reboot the computer and login as local admin.  Do whatever you need, and sysprep and caputer the machine.  When the system is deployed to laptops, Group policy will take affect again disabling the local admin account.
    • Marked as answer by John Doe313 Monday, June 17, 2013 8:25 AM
    Friday, June 14, 2013 8:24 PM
  • google search for ntpasswd.  It is a linux boot cd that will enable and set the local admin account.  So, enable the account, give it a password, reboot the computer and login as local admin.  Do whatever you need, and sysprep and caputer the machine.  When the system is deployed to laptops, Group policy will take affect again disabling the local admin account.

    Thank you so much!

    I was able to enable the local administrator account and blank the password. This way I could logon as local administrator and I changed the hosts file so I my liteotouch script could run. Fromt here I was able to get into my MDT environment and start the sysprep task sequence! It is running now.

    Monday, June 17, 2013 8:36 AM
  • You can boot to safe mode with command prompt if the local administrator account is disabled and activate it from there again.

    Command: net administrator /active:yes

    I am sure it is always possible to set the password this way, but safe mode should not be required at all for changing the password from my experience but non-Windows-UI (e.g. console with net command) may be required.

    • Proposed as answer by orioon Monday, June 17, 2013 6:45 PM
    • Edited by orioon Monday, June 17, 2013 6:49 PM
    • Unproposed as answer by John Doe313 Tuesday, June 18, 2013 6:03 AM
    Monday, June 17, 2013 6:45 PM
  • You can boot to safe mode with command prompt if the local administrator account is disabled and activate it from there again.

    Command: net administrator /active:yes

    I am sure it is always possible to set the password this way, but safe mode should not be required at all for changing the password from my experience but non-Windows-UI (e.g. console with net command) may be required.


    Thanks for your answer orioon. As you can read I already found a solution for my problem. However your post is interesting as well. I did not tried your suggestion but does it only activate the account? Because I don't know the password either.
    Tuesday, June 18, 2013 6:05 AM
  • No, that should not be possible that way.
    I did overwrite a password once without non-microsoft products but it is a bit more complicated.

    It is possible to remap the event that occurs when you press shift 5 times to start cmd.exe instead.

    This will start cmd.exe with Administrator (System?) permissions allowing you to make such changes.

    Tuesday, June 18, 2013 7:31 AM