No Admin Access on domain joined PC

gareth.cox · February 16, 2021, 9:34pm

Here’s a good one, we’re migrating computers over to another domain in the same forest remotely.

I was having trouble with the remote connection software installed on the users machine, so I decided to use RDP instead and added both my domain admin accounts to remote users and connected that way. All good working well!

Before migrating the machine over I made sure I had access to the local admin account just in case. I switched the machine over to the new domain, cancelled the restart prompt, switched users and logged in successfully with the corresponding new domain account.

All good, job done I’m thinking. Copied the users files across from their old profile, but then when the machine was rebooted I had lost admin access. No local user in the administrators group or domain admins???

Never come across this before, any suggestions on how I gain admin privileges again? Had a look online, is a GPO the way to go?

Totally dumbfounded here, not sure how this happened?

ServerAcademy · February 17, 2021, 5:44pm

Most likely the local administrators group is 100% managed by Group Policy. Here is how you can configure this:

Do you not have domain admin credentials in the new domain? Is there a trust established between the domains? Will you be removing the old domain entirely?

Thanks,
Paul

gareth.cox · February 18, 2021, 4:40pm

Thanks Paul, yes, there is a trust relationship between the domains.

I’ve found a local admin policy setup on the old domain which I’ve now disabled, but nothing on the new one, could this be causing it?

I have domain admin on the new domain but that group was also been removed during the switch? The old domain will be going entirely at some point.

ServerAcademy · February 18, 2021, 9:52pm

GPOs in the old domain should not be affecting computers in the new domain. You need to run rsop.msc on your target computer in the new domain and see what GPO is configuring that setting for the built in domain admins group.

You said you have a domain admin user on the new domain, but the group was removed? I’m a little uncertain of what you mean by this. Make sure that you have a domain admin user you can use in the new domain and that it has local admin rights on your workstations.

If you know the old domain will be removed at some point now is a good time to stop using your old domain admin accounts in the new domain entirely.

gareth.cox · February 22, 2021, 4:04pm

It was that policy, after disabling it, the issue has not come back.

I think where I went wrong was adding local admin access under the users login with elevated cached admin creds. Then I switched to my domain account and the GPO I was not aware removed my local access.

In hindsight I should have completed the entire process under the users login with elevated admin and as you say not used the old domain admin creds at all.

Thanks for your help again!

ServerAcademy · February 24, 2021, 4:37pm

Awesome! I’m very happy to hear it’s resolved now. Thanks for your question @gareth.cox