Jump to content

Local Admin Account


joeypesci

Recommended Posts

Got a local admin account where this has been set

18112010133154.png

Which I believe is preventing the admin account from removing or installing devices. This is causing an issue. Looks like it's AD GP as is greyed out and I can't add to it locally. The network team claim there are no AD GPs to limit the local admin account that they know of.

Also, I'm trying to use Process Monitor on the machine but that needs admin rights and it keeps saying that the local admin account isn't a member of the admin group, but it is.

Any ideas? Even if it's just fixing he Process Monitor bit?

And looking at the picture can anyone explain what the icon means next to Load and Unload device drivers. It's different from the others and think this is related, maybe trying to tell me it's a AD group policy.

I've spoken to networks, they said there are not AD GP's set for this. I've used the local admin account to create a new local admin account and put it in the administrators group. Logged into it and it also has the same issue.

Any ideas?

Link to comment
Share on other sites

Have you tried running gpudate /force?

Machine was migrated from the old domain the other day to the new one. The user then booted the machine and it would freeze and load personal settings I think it was before the login box. I'd remove the network cable and reboot and I'd get to the login box. But something in XP has become unstable as right click my computer and go to properties and it never loads system. Do gpupdate /force and it starts to do it but never appears to finish and seems like it's hung.

So have to do everything in safemode. But doing gpupdate /force in safemode it modes it can't find file or something (can't remember the error as at home now).

I found in C:\WINDOWS\security\templates the .inf files. So took the ones from my PC that is fine and shoved them in the not working PC. Loaded up the setup security.inf in the non working PC but appears to do nothing. Do gpupdate/force and get the file error. Do a reboot and they don't take effect or it doesn't seem to change anything.

In the above picture I'm logged in as local admin, the blanked out bit is

ourolddomainname\users

but nothing else is in there, as you can see, and unable to add. I though the icon meant it was getting this policy from AD group policy.

Removed the machine from the domain but made no difference.

Link to comment
Share on other sites

An administrator account having limited access, that sounds more like local group policy issues to me. Something in that machine does not look right.

Are you sure its an administrator's account? Is there any other local administrator account in that computer, have you tried using a domain administrator account to see if you can override that problem.

Edited by Infiltrator
Link to comment
Share on other sites

An administrator account having limited access, that sounds more like local group policy issues to me. Something in that machine does not look right.

Are you sure its an administrator's account? Is there any other local administrator account in that computer, have you tried using a domain administrator account to see if you can override that problem.

Fixed this now. Would like to be able to edit titles here so I can put FIXED on my threads. So if someone else has the issue they can see my fix.

Machine wasn't able to get on the network due to the hanging so couldn't try my domain admin account. I've posted the fix on another forum, so this is lifted from there so don't have to type it again.

-----------

Took all day from 8am to 4pm but did it :) gives you a buzz when you solved something like this, that had me :scratch: all day.

Right. First problem (that ended up not needed in end) was to fix the GPEDIT issue, why wasn't Administrators in there. I think the GP was buggered, so asking over at Technet forums I got told about the secedit command (which I'm sure I've heard of before but long forgot). Got given this link

http://support.microsoft.com/kb/313222

Being on XP I ran this on the machine at a CMD

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Did what it had to do. Checked gpedit again and sure enough the Administrators group was back in the place it should be in the image in first post. But it was all still greyed out, but never mind as admin account was now able to remove devices. Also got told the icon means it's locked by Group Policy and can't be edited. The blue 1's and 0's means it's not locked and can be edited.

So, now, why wasn't Process Monitor still working? It was still saying Admin wasn't in the Admin group but it was. On Technet they later said the Admin has to be in the debug group as well for Process Monitor to run, but I'd fixed it before then, so not sure if that was the issue.

Anyway. To fix the admin account permissions I used Trinity Rescue Kit

http://trinityhome.org/Home/index.php?wpid=1&front_id=12

Booted up from that, ran

winpass

To allow you to reset a local account, unlock or up it's privileges. I choose to up the admin accounts privileges as it was saying the admin account only had Normal rights.

Booted into Windows and result, Process Monitor was now able to run :)

However, the hanging issue (not sure if I mentioned that) was still a problem. I then used msconfig (which ain't great) but it's easy with that to hide all the Microsoft processes so that you can then disable all other, 3rd party ones. Did that and rebooted. No more hanging. Then had to re-enable them one by one till the hanging started again.

What was it?

Our Helpdesk software. It had two processes running as services at start-up and they were causing the hang. I'm about to look through the Process Monitor logs of it working and then not working. To see if what I suspect to be happening is happening. That is, now the PC is on a new domain, these two services are trying to talk or doing something with the old domain and can't. Causing explorer to then hang as they maybe just get stuck in a loop.

Was a good feeling when it was all fixed and I had drilled it down to the exact two things causing the issue.

Now in geekness I'm off to look through the process monitor logs.

Forgot to mention that once I put the PC back on the domain the gpedit entry was no longer greyed out.

--------------

Edited by joeypesci
Link to comment
Share on other sites

Very interesting situation and I am glad you were able to resolve it. I think I should bookmark this thread for future reference.

Link to comment
Share on other sites

It sounds like the profile may have been corrupted on the local cached copy. You could have tried to log on as the LOCAL admin in safe mode(not sure if you tried that or not), not as a domain admin. Then remove the machine from the domain and make it back to a normal workstation. Then reboot. Then try adding back to the new domain, logging in as a domain admin, and it should then have grabbed an updated Group Policy once it joined the new domain.

We've actually had to delete profiles completely off workstations, because even though they are domain profiles, windows still stores a folder for the user name and settings on the local workstation, and one of them was so corrupt that when the user signed on Explore.exe would crash as soon as you saw the desktop, but when signed in as another user on the same box, the machine worked fine. We removed the machine from the domain, then deleted the domain profile folders and files, then rejoined the domain, and fixed the users profile on that machine, explorer.exe worked again.

Link to comment
Share on other sites

Yeah I did most of the work as local admin in safe mode, because I couldn't get on the domain because it kept freezing before the login box (but that ended up being the help desk services).

Regarding deleting the local profile. What we used to do in my old work place that actually used roaming profiles, was just to reboot the machine (because their profile gets locked by the NTuser files if they'd logged on). Then just login as local admin, rename their local profile to .old and then let them login. So their roaming profile gets copied back down. Means you don't have to bother with removing the machine off the domain and re-add it. We'd rename it to .old in case there was something in that profile, documents, that they needed. Because someones the roaming profiles wouldn't sync properly and you'd find when the fresh, new, uncorrupted profile copied off the server, it might be missing some of their documents.

Link to comment
Share on other sites

Yeah I did most of the work as local admin in safe mode, because I couldn't get on the domain because it kept freezing before the login box (but that ended up being the help desk services).

Regarding deleting the local profile. What we used to do in my old work place that actually used roaming profiles, was just to reboot the machine (because their profile gets locked by the NTuser files if they'd logged on). Then just login as local admin, rename their local profile to .old and then let them login. So their roaming profile gets copied back down. Means you don't have to bother with removing the machine off the domain and re-add it. We'd rename it to .old in case there was something in that profile, documents, that they needed. Because someones the roaming profiles wouldn't sync properly and you'd find when the fresh, new, uncorrupted profile copied off the server, it might be missing some of their documents.

I actually meant the roaming profile for domain users, not local user profiles, although that would lose all their data for any local user. In a domain setup, generally the only local user is an admin. At least in our workplace that is how we had set things up.

Regarding renaming the profile, guess it depends on the workplace, but our policy was that all files were saved on a network share for each user group as well as personal shares for each user. Nothing personal was of importance to the company, and any files they put on there by the user were their loss if not kept on their network share. Work files were supposed to kept on the network share, not the local desktop or my documents, because if something did happen, like the HDD died, they wouldn't be able to retrieve important work files from it. But yeah, renaming a bad profile and having them login again would essentially do the same thing if it was a corrupt profile, we just wiped the old profiles first as a precautionary step while removing it from the domain before hand.

Link to comment
Share on other sites

I actually meant the roaming profile for domain users, not local user profiles, although that would lose all their data for any local user. In a domain setup, generally the only local user is an admin. At least in our workplace that is how we had set things up.

Regarding renaming the profile, guess it depends on the workplace, but our policy was that all files were saved on a network share for each user group as well as personal shares for each user. Nothing personal was of importance to the company, and any files they put on there by the user were their loss if not kept on their network share. Work files were supposed to kept on the network share, not the local desktop or my documents, because if something did happen, like the HDD died, they wouldn't be able to retrieve important work files from it. But yeah, renaming a bad profile and having them login again would essentially do the same thing if it was a corrupt profile, we just wiped the old profiles first as a precautionary step while removing it from the domain before hand.

Yeah I know you meant domain profiles. But what happens is, you log a user in and the profile gets copied to the PC, so I then just call that their local copy. When they log out it should get copied back to the server, however, the local copy stays. So then when they log in again, they don't have to keep downloading their profile every time. It will just login, check for changes, if there are none, then just use the local copy. Sometimes the syncing fails and it keeps just using the local copy and not the domain one. So you can just reboot, login as yourself, rename their local copy of the profiles, log them in again and it will download the copy off the server again. It's still good practice I feel to rename the old profile, as there are some things that don't sync back to the server. Like the Outlook auto complete file when they type in the address field. I don't believe that gets copied over. And believe it or not, the old place I worked out, a manager who was a bit dense when it came to IT raised a call to have this restored, because she'd "Lost all her contacts". When I went to see her to find out what she meant. It turns out she'd been using the auto complete as her contacts. So she assumed if they appeared in auto complete they were perm. Had to them explain to her, and she still argued the point, that the auto complete is just a nice feature MS included in Outlook. That it was only a temp file and WASN'T to be used to save contacts. That it can, at random, reset itself to be blank. Told her it wasn't a fault, it was by design. To save more arguing I showed the silly bint where the file for this was, and told her, if she insists on using it for what it's not designed for, then she needs to back this file up herself manually.

And yeah, about the local files. We had that same policy, but you have to remember how flaky roaming profiles are. They were never perfect where I worked, so sometimes hadn't synced back to the server for months. The user hadn't noticed and despite telling them NOT to save to the desktop they'd still sometimes do it. Then when the files lost you'd never hear the end of it, despite them having been warned. I was in the NHS and we had one Director who I'd warned time and time again NOT to save all her files on her desktop. She had a roaming profile but had almost all her files dumped on the desktop. I told her, if they are syncing fine, they will be being backed up. But if her profile gets corrupt on the server, then she loses her files.

I had enough and put a short cut on her desktop to a folder on her own network share. Told her, when she has the told to drag all her desktop icons to that folder. She said "How do I do that?" :huh:

She was notorious for kicking off if anything didn't go her way. I'd tamed her. But when I wasn't there once and at another site, she'd lost one of these documents off her desktop. Went mental. It hadn't been backed up either as don't think her profile had synced. She was moaning at the IT Team and they were rushing around to sort her out. I turned up, saw her in the dinning area. Despite her moaning at everyone else I couldn't help but say to her "I did warn you several times" She attempted then "Yeah, I know you did". File was recovered in the end.

Few weeks later I went to fix another issue for her. She still hadn't moved the fing documents off her desktop.

:rolleyes:

One of the NHS Trusts had put in a policy that no user was allowed to save to the desktop and put a GP in place to stop it. But then main trust I worked for, didn't. It was their board of directors that decided most IT policy, not the IT department.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...