none
Lost admin rights both locally and in domain environment RRS feed

  • Question

  • Hi,
    I've run into quite the catch 22. My setup is very basic, I have a Windows 2003 Server R2 (AD) and a bunch of clients (all Windows 7 Professional) connected to it without issues. The other day I joined the domain on yet another client, rebooted the client (Windows 7 Pro x64) only to find out I could not log on locally at all (non-admin) nor did any of my Domain Admins actually have admin rights on the client itself.
    This is exactly what I did:
    1. On the client I added one local admin account as well as a regular user.
    2. I joined the AD domain with a regular Domain User on the server.
    3. I added the regular Domain User in the local administrator group through a Domain Admin user.
    4. The client asked me to reboot the system so I did.
    5. Reaching the login screen I had no issues logging in as the regular Domain User (now in the local admin group). Everything was working fine and there were no issues reaching resources shared on the server. However, when trying to change a system setting it asked for a user with higher privilegies. So I tried to use a Domain Admin user, no luck. The odd thing was that it seemed to be client based as various local files (Windows\system32\systempropertiescomputername.exe, netplwiz.exe) responding with "The requested operation requires elevation".
    6. As far as I know the local administrator account is locked when the client is joined to a domain but regular local accounts should be fine, or so I thought. After reaching the login screen after the first reboot it was not possible to login locally at all. I was greeted with "There are currently no logon servers available to service the logon request". After a second reboot later on, the system claimed the login info was invalid altogether. Logging in locally works fine on all other clients with COMPUTERNAME\localuser.
    So basically, I've lost local admin rights as well as domain admin rights on this particular client. Like with many Dell clients, I can't boot into safe mode and leave the domain. Is there something I can do besides re-installing Windows 7 on the client?
    Thursday, April 28, 2011 7:09 AM

All replies

  • If you can't log on as the local Admin or the Domain Admin, you will have to re-format the computer.  Simple as that.

    But before you do that, make sure that it's not connectivity problems that are preventing you logging on as Domain Admin.  Obviously, the first time, the client needs to actually contact the DC to authenticate the user (credentials are cached after that).

    Wednesday, June 1, 2011 7:34 PM
  • Not true.. you can ALWAYS reset a local password to the local admin accout...even if disabled.  You would have to get a ISO of a tool CD that has a password reset application.

     

    Hiren's BootCD is an example of such disk.  There are others out there also.

    Basically, it boots into it's own OS (Linux usually) and gives you many programs that it can run.  One of them is to Enable local accounts and to CLEAR passwords.

    This will NOT work for Domain Accounts, as Domain Accounts are controlled by the DOMAIN CONTROLLER.  Also, this will not work for the Domain Controller as there are no local accounts that matter outside the domain.

     

    If you lost the Domain Admin password .. you're done.

    Thursday, June 16, 2011 5:04 PM
  • In fact, you're right, I forgot.  You can download DaRT (Disaster and Recovery Toolkit) from Microsoft, at

    http://www.microsoft.com/windows/enterprise/products/mdop/dart.aspx

    With this you can create a recovery boot CD, including the "Locksmith" application, which will enable you to reset local passwords.





    • Proposed as answer by Bigteddy Thursday, June 16, 2011 7:17 PM
    Thursday, June 16, 2011 6:37 PM
  • I have a simular issue where I can log into the windows 7 x64 sp1 machine, but I can not get into management utility or change the domain of  the workstation. It is currently connected to the domain, but it will not let me into anything that is "high security" item. I can log into the domain controler with the domain admin, but when I use the domain admin on the windows7 x64 professional, it comes back with a message that "c:\windows\system32\systempropertiescomputername.exe.  The requested operation requires elevation."...

    Any ideas on how to resolve this? I can ping the domain controler, I can ping the domain name from the windows 7 workstation. I can log in with the local admin users that I had before I joined this computer to the domain...

    I just can not get into anything in control panel anymore nor change the domain of the workstation? When prompted for access, I have tried the domain admin, local admin user, and everything else, but it still comes back with "required elevation" message????

    Monday, June 11, 2012 9:07 PM
  • I did an re-install... fixed
    • Proposed as answer by BlueIzzzz Wednesday, August 15, 2012 1:48 AM
    Wednesday, August 15, 2012 1:48 AM