0
1
I have an old XP Pro machine that belonged to a long-dead domain. I had an administrator account on the machine which allowed me to use it effectively, if infrequently, on a roaming profile.
I also have local administrator accounts.
In error I managed to downgrade the domain account to a standard user (I know...) and now I'm locked out of the files that were held in the user folders (custom Office add-ins, application settings etc.).
It appears that the downgrade has marked them as inaccessible (or even removed some altogether, which is worrying) and so I can no longer get hold of them. Also, GPO seems(?) to require that some applications are run with administrator privileges so I can't access them and the config that was tied to the old admin account (SSMS etc.).
What I've tried
If I log in as a local administrator I can't upgrade the standard domain account from the normal XP Pro users admin as it only shows local accounts and groups.
If I log in as the standard domain user I can't access any domain account admin as I ased to be able to do, and elevating privileges only allows me to see the local accounts again.
If I attempt to use any AD tools (dsa.msc) then I get multiple errors related to the missing domain controller.
I can use a live CD to access the 'locked' files and pull them out, but there are quite a few files and a lot of applications that I'd like to be able to use properly again.
Nothing is of critical importance but it would be good to restore the previous access and functionality.
2something is not adding up. If you have local admin access you should see everything, even if you dont have access. You would just need to take ownership – Keltari – 2014-03-19T16:23:36.753
I'm no expert in these matters (as may be evident!), what might I be doing wrong to not see the domain accounts, of which there are at least three? – Lunatik – 2014-03-19T16:58:25.730
1
I'm not sure this will help, but have you tried Kon-Boot?
The FAQ states that, "Kon-Boot will not bypass authentication of domain controllers. Although there are instances where a client computer will locally cache a domain login, and Kon-Boot may work in this case."
I don't get it, how on earth you've managed to remove domain admin rights from a user? AFAIK even if you have a cached domain login, you must have access to the AD to make any changes. – EliadTech – 2014-03-31T07:44:21.937
In the User Accounts control panel applet there is an option to change the account group membership. This was previously 'Administrator', but I inadvertently seem to have scrolled down the list to another domain account type before closing the form. This appears to have removed the account from the Administrator group entirely! – Lunatik – 2014-03-31T13:21:27.230