1

I need help.

I am currently facing an issue where the trust relationship between a client computer and the domain controller has broken. As a result, the LAPS-managed local administrator password is not working.

Since the LAPS (Local Administrator Password Solution) policy is already applied, the old local administrator password no longer works, and I’m unable to retrieve or use the current password managed by LAPS.

Due to this, I am unable to rejoin the computer to the domain.

I would appreciate any guidance or suggestions on how to resolve this issue—specifically, how to regain local access or retrieve the LAPS password in order to rejoin the system to the domain.

Thank you.

7 Spice ups
2

Hi Welcome to Spiceworks, if you have previously logged on with a domain account with local admin privileges try unplugging the machine from the network and try the domain account login, I have found that the machine will use the cached login information if it cannot find the domain because the network is unavailable, the other option is to use an offline password reset tool such as NTPasswd found here Offline Windows Password & Registry Editor , it is old but so far still seems to be working.

Simon

7 Spice ups
3

I will confirm the tool suggested by @simonfox will work.

This is one downside to LAPS, if the password has rotated, the machine is locked - option 2, just wipe it.

7 Spice ups
4

Greetings thshah2090 ! Welcome to SPiceworks!

To re-iterate what the others have advised, logging on with a different admin accounts, oone that was logged on before it lost connectivity to the network, that will allow you to do so, failing that wiping and reloading will also work, and if you can’t just wipe it, load the drive up in an external caddy and access data that way before you wipe it…
Going forward tho, being as I am in a sub-HD, and not the primary, we have a local admin account because we are not privy to their LAPS controlled credentials, that may also be something you could look into, for when this happens again. Sometimes windows computers simply “fall off” the domain, and there is not help for them unless you can log on a local admin.

** Q: Concerning NTPasswd will that ENABLE an account, or does it just allow you to retrieve or modify accounts & passwords?
I am looking for screen shots online or someone’s experience with it, I have never used that one and once I am off the companies restrictive network I will investigate it further.

1 Spice up
5

You can OR modify create accounts.

You can also use Hirens where there is a more GUI based system that allows modification and creation of accounts.

4 Spice ups
6

I’ll second Hiren’s BootCD. I have used that before for PCs that I had lost the local admin access to.

3 Spice ups
7

So this used to work, couldn’t hurt to try:

  1. Boot off a windows image
  2. When the setup screen appears hit shift + F10 to get into cmd
  3. run “ren C:\windows\system32\utilman.exe utilman.exe.bak” (Replace C: with whatever your boot drive is)
  4. run " copy C:\windows\system32\cmd.exe C:\windows\system32\utilman.exe"
  5. Restart
  6. On boot, hit the accessibility icon in the bottom right corner
  7. Presto! You’ve got a command prompt.
  8. Create a new account: net user testuser /add
  9. Add to administrators: net localgroup administrators test /add
  10. Now log in with your new account and do what you need to repair the trust relationship.

To fix the domain trust without unjoining and rejoining the domain you can run: Test-ComputerSecureChannel -Repair -Credential (Get-Credential) in powershell.

And then make sure you delete the utilman.exe you renamed and then copy utilman.exe.bak to utilman.exe, otherwise that computer will have a gaping security hole.

5 Spice ups
8

Yes, Hirens is always a good thing to have to hand, I usually have a USB stick with it on attached to my lanyard, it has so many useful tools.

3 Spice ups
9

@simonfox

I would use Ventoy as your USB boot media, this way you can fill it with useful ISOs and boot the one you need, instead of carrying loads of USB pens. You can also use the ISO partition as generic storage for things that do not boot.

3 Spice ups
10

@TimJjr you can enable a locked/disabled account as well as setting a blank password. It cannot do anything with domain accounts but any local accounts can be modified with it.

Simon

2 Spice ups
11

There can be another, albeit potentially more knowledge-required option, of loading into a generic Windows OS install drive, using the troubleshoot via command line option, manually mount the registry hives and then create a new local admin user account via command line.

Done it a number of times, and while it’s WAY faster the reloading an entire machine, it does take a certain amount of understanding and finesse to do correctly.

Renaming files so you can get into a pre-boot, elevated command prompt situation can also work as well, but is the more brute-force method and can be prone not to work under some circumstances while mounting the registry hives is guaranteed, though more complicated.

2 Spice ups
12

But doesn’t this require that you know at least one admin account to get that far?

Or is this the method where you rename files like sticky keys or something?

1 Spice up
13

Negative if you are using a Windows installer image (which is a recovery environment, technically), it will be running as Admin by default because you’re running the bones of Windows from the USB, so there’s no linkage to the desired OS until you manually locate and mount the registry hives for the on-board OS installation in offline registry mode. All your permissions are coming from the Windows instance you’re running (which is the RE on the USB) rather than from the local OS install. From that point onward however, one must keep in mind that they’re working on a remote registry, so certain operations are different between working directly from within Windows on its own registry versus messing with it on an external device.

The tools available in the Windows RE by default are limited, but you may be able to utilize certain tools on the device needing troubleshooting in addition to the Windows RE tools (file permissions will come into play here, which while you can just give yourself any/all permissions you need, it gets tedious very quickly from command line ^.^). Having the desired tools available either on the Windows RE itself, or via alternate storage location to the remote OS at minimum bypasses a lot of those annoyances, since files not associated to the remote OS won’t be subject to its file permissions (and the Windows RE won’t really have anything beyond the necessary System, and Trusted Installer ownerships Windows will always require in any form to run, and everything else will be default Administrator pretty much)

1 Spice up
14

Thank YOU!

and while looking for something to make a Hirens boot drive, I found my Kali drive…
go figure.

1 Spice up
15

I also use the WinXPE on Github (GitHub - ChrisRfr/Win10XPE: Win10XPE is a Complete Project Based on Win10, Win11 Recovery Environment With Many Windows Features Added...) and use it with our systems here to Reimage, or general troubleshoot when needed. It has a Admin Password Reset Tool (like Hiren’s) and it will work with your Newer Windows PCs where Hiren’s may get weird thanks to updated security.

Just as a Note, you may need to get the Dell, HP, or other laptop Intel SSD/RAID Driver to see the Hard Drive, This can be integrated with the WinXPE Image so it will work on multiple different systems and only need 1 USB Drive.

2 Spice ups