Domain Controller Down Need access to Domain user Desktops

les_garten

Limp Gawd
Joined
Dec 12, 2007
Messages
499
I have a windows 2008 Domain controller that is down hard and the drives are out for data recovery.

We are having issues with using Local accounts. Even the BuilIn administrator account(it is enabled, and we can login with it). For instance, I cannot change the RDP access for the local accounts or the administrator accounts. The checkboxes are grayed out for. The button for Network Level authentication is checked but grayed out to the user, the other buttons are grayed out here as well. It's like admin rights and the administrator account even at the local level are not working properly.

Additionally we would like to somehow use the user domain desktops till the domain controller is back up(which may take a bit of time). Is there a way to hack into them?

Cached credentials are helping us out for now but that won't last and is at risk for getting hosed with a reboot or user login change.

Any suggestions on how to get access to these levels? I didn't expect to run into the local administrator limitations, that's got me befuddled a bit.
 
IIRC, group policy is likely still in effect. I'd take one system, as a test, un-join from the domain using the local admin account and then see if you can change any NLA settings, etc. You should be able to rejoin the domain once it's back up as long as it's the same domain with the same SID's. I don't know of any way to use the domain accounts except for cached credentials which I think expire after 30 days by default. One option is to make a new local standard account then just copy the domain info to the local account. Very labor intensive but would get someone functional. Good luck, I dealt with this once, and it was not so much fun.
 
IIRC, group policy is likely still in effect. I'd take one system, as a test, un-join from the domain using the local admin account and then see if you can change any NLA settings, etc. You should be able to rejoin the domain once it's back up as long as it's the same domain with the same SID's. I don't know of any way to use the domain accounts except for cached credentials which I think expire after 30 days by default. One option is to make a new local standard account then just copy the domain info to the local account. Very labor intensive but would get someone functional. Good luck, I dealt with this once, and it was not so much fun.

It's driving us crazy right now because the local accounts are not acting like they should including the Administrator account. If we unjoin the domain, that would cutoff acess to the domain desktops I think. We are changing the cached credentials from 10 to 50 logons to give us some breathing room.
 
if you can disconnect the PC from the network, then turn it on, then try to log on with a domain account, good chance you can log on with a cached account, then plug in the network cable
 
  • Like
Reactions: Dan_D
like this
if you can disconnect the PC from the network, then turn it on, then try to log on with a domain account, good chance you can log on with a cached account, then plug in the network cable
We can logon at present. Cached credentials will run out. I found some stuff last night. I want to migrate the domain profile to a Local account. Anyone have a reliable method for doing that? The office manager has a desktop that needs to keep working during this transitional period.
 
It's driving us crazy right now because the local accounts are not acting like they should including the Administrator account. If we unjoin the domain, that would cutoff acess to the domain desktops I think. We are changing the cached credentials from 10 to 50 logons to give us some breathing room.
It's been quite a while since I had to do this so that's why I recommend trying it on one desktop first. I think the computer is still adhering to group policy because it's still joined to the domain. It doesn't matter that the domain isn't available. The system should follow the last set of instructions it received since the last touch of the domain. Again, you can rejoin the domain once it's back. I don't know of any way to migrate domain profiles to local profiles. I'd think there might be a tool out there by now that could do this. But, you could just do so manually by copying over docs, desktop, etc, etc. PITB I know but possible.
 
I've used the profile tools from forensit.com wh decent luck a while back
 
I've used the profile tools from forensit.com wh decent luck a while back

I did find this tool and talk to the guy there and it will migrate a Domain Profile to a Local profile. We are going to try it today on a less important profile and see what gves.
 
It's been quite a while since I had to do this so that's why I recommend trying it on one desktop first. I think the computer is still adhering to group policy because it's still joined to the domain. It doesn't matter that the domain isn't available. The system should follow the last set of instructions it received since the last touch of the domain. Again, you can rejoin the domain once it's back. I don't know of any way to migrate domain profiles to local profiles. I'd think there might be a tool out there by now that could do this. But, you could just do so manually by copying over docs, desktop, etc, etc. PITB I know but possible.

We are thinking migrate the profiles to local while we still have credentials, and then unjoin the domain. Then rejoin the domain with the new Computer.
 
I understand you're trying to work through this, but did you only have a single DC for some reason? And there are no backups?
 
even just a laptop sitting in the Drs office, I have that setup for one of my cheapest customers, just a backup DC, nothing else on it. (server, kvm, battery backup all in one lol)
 
Back
Top