0

I have an old XP Pro machine that belonged to a long-dead domain. I had an administrator account on the machine which allowed me to use it effectively, if infrequently, on a roaming profile.

I also have local administrator accounts.

In error I managed to downgrade the domain account to a standard user (I know...) and now I'm locked out of the files that were held in the user folders (custom Office add-ins, application settings etc.).

It appears that the downgrade has marked them as inaccessible (or even removed some altogether, which is worrying) and so I can no longer get hold of them. Also, GPO seems(?) to require that some applications are run with administrator privileges so I can't access them and the config that was tied to the old admin account (SSMS etc.).

What I've tried

  • If I log in as a local administrator I can't upgrade the standard domain account from the normal XP Pro users admin as it only shows local accounts and groups.

  • If I log in as the standard domain user I can't access any domain account admin as I ased to be able to do, and elevating privileges only allows me to see the local accounts again.

  • If I attempt to use any AD tools (dsa.msc) then I get multiple errors related to the missing domain controller.

I can use a live CD to access the 'locked' files and pull them out, but there are quite a few files and a lot of applications that I'd like to be able to use properly again.

Nothing is of critical importance but it would be good to restore the previous access and functionality.

Improve this question
5
  • 2
    something is not adding up. If you have local admin access you should see everything, even if you dont have access. You would just need to take ownership
    – Keltari
    Commented Mar 19, 2014 at 16:23
  • I'm no expert in these matters (as may be evident!), what might I be doing wrong to not see the domain accounts, of which there are at least three?
    – Lunatik
    Commented Mar 19, 2014 at 16:58
  • 1
    I'm not sure this will help, but have you tried Kon-Boot? The FAQ states that, "Kon-Boot will not bypass authentication of domain controllers. Although there are instances where a client computer will locally cache a domain login, and Kon-Boot may work in this case."
    – Vinayak
    Commented Mar 27, 2014 at 14:45
  • I don't get it, how on earth you've managed to remove domain admin rights from a user? AFAIK even if you have a cached domain login, you must have access to the AD to make any changes.
    – EliadTech
    Commented Mar 31, 2014 at 7:44
  • In the User Accounts control panel applet there is an option to change the account group membership. This was previously 'Administrator', but I inadvertently seem to have scrolled down the list to another domain account type before closing the form. This appears to have removed the account from the Administrator group entirely!
    – Lunatik
    Commented Mar 31, 2014 at 13:21

2 Answers 2

Reset to default
1

Just thinking out loud but there are 2 possibilities that come to mind.

  1. Reboot to Safe Mode on your DC and see if you can view the files. I can't remember if Safe Mode will work on a DC (I'm assuming your files are on the DC, not your w/s) but if you can then this would make the file system accessable. You can then copy to an external drive and should be able to see your files
  2. If the files are NOT on the DC ("long dead..."), then you just need to take ownership of the files. You can do this with any local admin account wherever the files reside. You can do this with Explorer (right-click, Properties, Security tab, Advanced, Owner) or with the powershell Set-Acl commandlet.

Worst case is you boot from some other media (WinPE or BartPE) and grab the files that way. Make sure you take ownership after you copy them off.

Improve this answer
5
  • The domain controller, indeed the company that ran it, has gone the way of the dodo unfortunately.
    – Lunatik
    Commented Mar 26, 2014 at 14:18
  • Access to the documents etc. isn't the whole problem (I've pulled off critical ones using a Linux live CD), it's as much about the applications and settings that I can't access as they are 'tied' to the neutered domain account which I can't manage.
    – Lunatik
    Commented Mar 26, 2014 at 14:26
  • Have you tried Microsoft's USMT tool? Maybe that can grab the app settings for you. I've used it in the past on "working" computers without issue. You can download it from https://www.microsoft.com/en-us/download/details.aspx?id=10837
    – SaxDaddy
    Commented Mar 27, 2014 at 18:46
  • The problem is that Windows settings are only part of the story, it's really the applications that no longer work properly that are the biggest thing now that I've grabbed most of the documents I know about.
    – Lunatik
    Commented Mar 31, 2014 at 13:23
  • The latest versions of USMT can capture application settings as well as data. You may need to reinstall the app but it works with many apps and has decent legacy support. I hope this works out for you. Please update the post when you can.
    – SaxDaddy
    Commented Apr 1, 2014 at 0:58
0

Maybe it works when you create a new account with administrator privileges and then give your account administrator privileges, using the just created admin account.

Edit - 31-3-14

Maybe this will work. -> http://www.tomshardware.co.uk/forum/18480-63-make-domain-user-local-computer-admin

Improve this answer
3
  • I can do that for local accounts, but not domain accounts.
    – Lunatik
    Commented Mar 31, 2014 at 13:23
  • Still won't work for this user, even after the edit
    – Canadian Luke
    Commented Mar 31, 2014 at 14:50
  • Thanks, but that doesn't work as the domain users cannot be selected or found from within the User management form.
    – Lunatik
    Commented Mar 31, 2014 at 14:51

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .