| Author |
Message |
Doc
Guest
|
 Posted:
Thu Nov 03, 2005 1:51 am Post subject:
Remove old GP from workstations in Domain?? |
|
|
Have an sticky wicket.
User has 25 workstations, all XP or Win2K. They "were" part of Win2K Srv
domain last month.
Prior consultant absconded with Software "and" all passwords.
NO local Administrator passwords for ANY machine.
NO Domain or Enterprise passwords for ANY server (just one now).
NO listing of any "domain user" passwords.
When I arrived, only one machine was still on the OLD domain.
I copied OFF (as that use had never logged out) all the data.
I used a variety of efforts to either 'create' a new administrator
user on the server (no go, guess is was AD and that appears hard to
effect). I was able to create a 'local' administrator user but
whomever had set up the server had disabled (or it WAS disabled)
and "local logins".
Anyway...
After examining everything, I suggested a 'new install' of Windows
Srv 2003 and a 're-creation' of a domain. I had the data, etc...
All went well (DELL 1600SC) and the domain was created.
Issue: Never gracefully "removed" any of the desktops from the "old"
domain (could not, no administrator P/W to allow - or that was the limit
of my knowledge).
Currently, I 'can' join the new DOMAIN... but there are events
indicating that enrollment, time, and a variety of other aspects are
not "finding" the domain.
File access, printing, etc... seem okay.
How can I cleanse these workstations (I have used Hiveclean, didn't do
the job. Have also cleaned the registry as much as I can)...
Seems like this culprit used a 'security template' to stop a variety
of other actions... cannot REMOVE any of the machines to WORKGROUP
either as "then" I cannot login, no one has a 'local user' password.
I HAVE created a couple of LOCAL users before doing that and COULD
login to the 'local machine'... but it still leaves a lot of template
junk in gpedit.msc.
Thanks for any help. |
|
| Back to top |
|
 |
Paul Williams [MVP]
Guest
|
| Posted:
Thu Nov 03, 2005 9:51 am Post subject:
Re: Remove old GP from workstations in Domain?? |
|
|
You can join the domain so you can override the local security settings with
domain policy. You can also use a startup script, configured via Group
Policy, to reset the administrator accounts on all PCs. This is done with
the following line saved as .BAT or .CMD:
net user administrator Pa55w0rd
If you have seen some errors in the event logs, check them against
www.eventid.net. Just ensure that the DNS settings on all clients and
indeed the DC are pointing at the DC.
You can reset the security policies by applying the standard workstation
security template to each PC.
As a for info. you should search for Lophcrack. That will help you get the
passwords if you should ever be in the horrible position you were in again.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
Doc
Guest
|
| Posted:
Thu Nov 03, 2005 5:50 pm Post subject:
Re: Remove old GP from workstations in Domain?? |
|
|
Paul Williams [MVP] typed this:
| Quote: | You can join the domain so you can override the local security settings with
domain policy. You can also use a startup script, configured via Group
Policy, to reset the administrator accounts on all PCs. This is done with
the following line saved as .BAT or .CMD:
net user administrator Pa55w0rd
If you have seen some errors in the event logs, check them against
www.eventid.net. Just ensure that the DNS settings on all clients and
indeed the DC are pointing at the DC.
You can reset the security policies by applying the standard workstation
security template to each PC.
As a for info. you should search for Lophcrack. That will help you get the
passwords if you should ever be in the horrible position you were in again.
|
Paul,
Thanks. I did use a Linux based cracker but could not get the AD admin
p/w - I have/had read that such was the case but I'll look into the
application you mention.
All the PCs have 'joined' the domain but the event logs indicate (thru
eventid) a failure of the local system to properly configure the joining.
I will have to re-check my application event logs...
GREATLY appreciate the help.
Thanks, more later. |
|
| Back to top |
|
|
Paul Williams [MVP]
Guest
|
| Posted:
Fri Nov 04, 2005 9:51 am Post subject:
Re: Remove old GP from workstations in Domain?? |
|
|
Yeah, the offline SAM hacks that use Linux to boot and mount NTFS only work
for local accounts - stuff in the SAM. They won't work against AD as it's
stored differently.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
Doc
Guest
|
| Posted:
Fri Nov 11, 2005 5:50 pm Post subject:
Re: Remove old GP from workstations in Domain?? |
|
|
Paul Williams [MVP] typed this:
| Quote: | Yeah, the offline SAM hacks that use Linux to boot and mount NTFS only work
for local accounts - stuff in the SAM. They won't work against AD as it's
stored differently.
|
Finalized...
Was able to provide each 'joined' PC with a static IP and
given (on the server) DNS address. This took a lot of the lag
out of 'logging on' and cleaned the event logs. Have gone in
and "re-owned" many of the data drive (a partition on the main
Raided drives that remained intact after the 'upgrade' install
of Srv2003 - but kept the old identities [sid number with a
big ? in front of all of 'em] which munged the ownership and
rights to change or access) -
Once that was done I could use the 'net user' command in a log
in script to change the 'local' administrator account and
all is well. What a mess. Thanks. |
|
| Back to top |
|
|
Paul Williams [MVP]
Guest
|
| Posted:
Sun Nov 13, 2005 1:50 pm Post subject:
Re: Remove old GP from workstations in Domain?? |
|
|
Glad you got it sorted in the end!
All the best to you.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in