Can I restore administrator privileges to an accidentally downgraded domain account without access to the domain controller?

I have an old XP Pro machine that belonged to a long-dead domain. I had an administrator account on the machine which allowed me to use it effectively, if infrequently, on a roaming profile.

I also have local administrator accounts.

In error I managed to downgrade the domain account to a standard user (I know...) and now I'm locked out of the files that were held in the user folders (custom Office add-ins, application settings etc.).

It appears that the downgrade has marked them as inaccessible (or even removed some altogether, which is worrying) and so I can no longer get hold of them. Also, GPO seems(?) to require that some applications are run with administrator privileges so I can't access them and the config that was tied to the old admin account (SSMS etc.).

What I've tried

If I log in as a local administrator I can't upgrade the standard domain account from the normal XP Pro users admin as it only shows local accounts and groups.
If I log in as the standard domain user I can't access any domain account admin as I ased to be able to do, and elevating privileges only allows me to see the local accounts again.
If I attempt to use any AD tools (dsa.msc) then I get multiple errors related to the missing domain controller.

I can use a live CD to access the 'locked' files and pull them out, but there are quite a few files and a lot of applications that I'd like to be able to use properly again.

Nothing is of critical importance but it would be good to restore the previous access and functionality.

Lunatik

Posted 2014-03-18T11:30:29.513

Reputation: 4 973

2something is not adding up. If you have local admin access you should see everything, even if you dont have access. You would just need to take ownership – Keltari – 2014-03-19T16:23:36.753

I'm no expert in these matters (as may be evident!), what might I be doing wrong to not see the domain accounts, of which there are at least three? – Lunatik – 2014-03-19T16:58:25.730

I'm not sure this will help, but have you tried Kon-Boot?

The FAQ states that, "Kon-Boot will not bypass authentication of domain controllers. Although there are instances where a client computer will locally cache a domain login, and Kon-Boot may work in this case."

– Vinayak – 2014-03-27T14:45:29.550

I don't get it, how on earth you've managed to remove domain admin rights from a user? AFAIK even if you have a cached domain login, you must have access to the AD to make any changes. – EliadTech – 2014-03-31T07:44:21.937

In the User Accounts control panel applet there is an option to change the account group membership. This was previously 'Administrator', but I inadvertently seem to have scrolled down the list to another domain account type before closing the form. This appears to have removed the account from the Administrator group entirely! – Lunatik – 2014-03-31T13:21:27.230

Answers

Just thinking out loud but there are 2 possibilities that come to mind.

Reboot to Safe Mode on your DC and see if you can view the files. I can't remember if Safe Mode will work on a DC (I'm assuming your files are on the DC, not your w/s) but if you can then this would make the file system accessable. You can then copy to an external drive and should be able to see your files
If the files are NOT on the DC ("long dead..."), then you just need to take ownership of the files. You can do this with any local admin account wherever the files reside. You can do this with Explorer (right-click, Properties, Security tab, Advanced, Owner) or with the powershell Set-Acl commandlet.

Worst case is you boot from some other media (WinPE or BartPE) and grab the files that way. Make sure you take ownership after you copy them off.

SaxDaddy

Posted 2014-03-18T11:30:29.513

Reputation: 3 181

The domain controller, indeed the company that ran it, has gone the way of the dodo unfortunately. – Lunatik – 2014-03-26T14:18:42.093

Access to the documents etc. isn't the whole problem (I've pulled off critical ones using a Linux live CD), it's as much about the applications and settings that I can't access as they are 'tied' to the neutered domain account which I can't manage. – Lunatik – 2014-03-26T14:26:08.467

Have you tried Microsoft's USMT tool? Maybe that can grab the app settings for you. I've used it in the past on "working" computers without issue. You can download it from https://www.microsoft.com/en-us/download/details.aspx?id=10837

– SaxDaddy – 2014-03-27T18:46:57.900

The problem is that Windows settings are only part of the story, it's really the applications that no longer work properly that are the biggest thing now that I've grabbed most of the documents I know about. – Lunatik – 2014-03-31T13:23:57.477

The latest versions of USMT can capture application settings as well as data. You may need to reinstall the app but it works with many apps and has decent legacy support. I hope this works out for you. Please update the post when you can. – SaxDaddy – 2014-04-01T00:58:01.497

Maybe it works when you create a new account with administrator privileges and then give your account administrator privileges, using the just created admin account.

Edit - 31-3-14

Maybe this will work. -> http://www.tomshardware.co.uk/forum/18480-63-make-domain-user-local-computer-admin

Auke1001

Posted 2014-03-18T11:30:29.513

Reputation: 1

I can do that for local accounts, but not domain accounts. – Lunatik – 2014-03-31T13:23:12.803

Still won't work for this user, even after the edit – Canadian Luke – 2014-03-31T14:50:33.477

Thanks, but that doesn't work as the domain users cannot be selected or found from within the User management form. – Lunatik – 2014-03-31T14:51:58.253