Domain Controller Down Need access to Domain user Desktops

les_garten

Limp Gawd
Joined
Dec 12, 2007
Messages
393
I have a windows 2008 Domain controller that is down hard and the drives are out for data recovery.

We are having issues with using Local accounts. Even the BuilIn administrator account(it is enabled, and we can login with it). For instance, I cannot change the RDP access for the local accounts or the administrator accounts. The checkboxes are grayed out for. The button for Network Level authentication is checked but grayed out to the user, the other buttons are grayed out here as well. It's like admin rights and the administrator account even at the local level are not working properly.

Additionally we would like to somehow use the user domain desktops till the domain controller is back up(which may take a bit of time). Is there a way to hack into them?

Cached credentials are helping us out for now but that won't last and is at risk for getting hosed with a reboot or user login change.

Any suggestions on how to get access to these levels? I didn't expect to run into the local administrator limitations, that's got me befuddled a bit.
 

Shotglass01

[H]ard|Gawd
Joined
Aug 26, 2005
Messages
1,960
IIRC, group policy is likely still in effect. I'd take one system, as a test, un-join from the domain using the local admin account and then see if you can change any NLA settings, etc. You should be able to rejoin the domain once it's back up as long as it's the same domain with the same SID's. I don't know of any way to use the domain accounts except for cached credentials which I think expire after 30 days by default. One option is to make a new local standard account then just copy the domain info to the local account. Very labor intensive but would get someone functional. Good luck, I dealt with this once, and it was not so much fun.
 

les_garten

Limp Gawd
Joined
Dec 12, 2007
Messages
393
IIRC, group policy is likely still in effect. I'd take one system, as a test, un-join from the domain using the local admin account and then see if you can change any NLA settings, etc. You should be able to rejoin the domain once it's back up as long as it's the same domain with the same SID's. I don't know of any way to use the domain accounts except for cached credentials which I think expire after 30 days by default. One option is to make a new local standard account then just copy the domain info to the local account. Very labor intensive but would get someone functional. Good luck, I dealt with this once, and it was not so much fun.

It's driving us crazy right now because the local accounts are not acting like they should including the Administrator account. If we unjoin the domain, that would cutoff acess to the domain desktops I think. We are changing the cached credentials from 10 to 50 logons to give us some breathing room.
 

dbwillis

[H]F Junkie
Joined
Jul 9, 2002
Messages
8,200
if you can disconnect the PC from the network, then turn it on, then try to log on with a domain account, good chance you can log on with a cached account, then plug in the network cable
 
  • Like
Reactions: Dan_D
like this

les_garten

Limp Gawd
Joined
Dec 12, 2007
Messages
393
if you can disconnect the PC from the network, then turn it on, then try to log on with a domain account, good chance you can log on with a cached account, then plug in the network cable
We can logon at present. Cached credentials will run out. I found some stuff last night. I want to migrate the domain profile to a Local account. Anyone have a reliable method for doing that? The office manager has a desktop that needs to keep working during this transitional period.
 

Shotglass01

[H]ard|Gawd
Joined
Aug 26, 2005
Messages
1,960
It's driving us crazy right now because the local accounts are not acting like they should including the Administrator account. If we unjoin the domain, that would cutoff acess to the domain desktops I think. We are changing the cached credentials from 10 to 50 logons to give us some breathing room.
It's been quite a while since I had to do this so that's why I recommend trying it on one desktop first. I think the computer is still adhering to group policy because it's still joined to the domain. It doesn't matter that the domain isn't available. The system should follow the last set of instructions it received since the last touch of the domain. Again, you can rejoin the domain once it's back. I don't know of any way to migrate domain profiles to local profiles. I'd think there might be a tool out there by now that could do this. But, you could just do so manually by copying over docs, desktop, etc, etc. PITB I know but possible.
 

dbwillis

[H]F Junkie
Joined
Jul 9, 2002
Messages
8,200
I've used the profile tools from forensit.com wh decent luck a while back
 

les_garten

Limp Gawd
Joined
Dec 12, 2007
Messages
393
I've used the profile tools from forensit.com wh decent luck a while back

I did find this tool and talk to the guy there and it will migrate a Domain Profile to a Local profile. We are going to try it today on a less important profile and see what gves.
 

les_garten

Limp Gawd
Joined
Dec 12, 2007
Messages
393
It's been quite a while since I had to do this so that's why I recommend trying it on one desktop first. I think the computer is still adhering to group policy because it's still joined to the domain. It doesn't matter that the domain isn't available. The system should follow the last set of instructions it received since the last touch of the domain. Again, you can rejoin the domain once it's back. I don't know of any way to migrate domain profiles to local profiles. I'd think there might be a tool out there by now that could do this. But, you could just do so manually by copying over docs, desktop, etc, etc. PITB I know but possible.

We are thinking migrate the profiles to local while we still have credentials, and then unjoin the domain. Then rejoin the domain with the new Computer.
 

ND40oz

[H]F Junkie
Joined
Jul 31, 2005
Messages
12,294
I understand you're trying to work through this, but did you only have a single DC for some reason? And there are no backups?
 

dbwillis

[H]F Junkie
Joined
Jul 9, 2002
Messages
8,200
even just a laptop sitting in the Drs office, I have that setup for one of my cheapest customers, just a backup DC, nothing else on it. (server, kvm, battery backup all in one lol)
 
Top