Recommended Posts

Hi guys

is there a way of adding a windows xp machine to a domain from the AD server running Windows Server 2008 R2 using netdom join workstation /domain:mydomain.local from the command line of the server?

At the moment its failing with a Access is denied.

One thing to bare in mind is that the local machine's admin password has been forgotten. Otherwise I wouldn't be bothering with this. I know there a ways of getting that reset but the PC is thousands of miles away and trying to avoid guiding the end user on how to use ntpasswd.

thanks in advance

Link to comment
https://www.neowin.net/forum/topic/1055884-join-domain-using-netdom/
Share on other sites

So the PC is just sitting there all by it's lonesome? How about having them download and run one of those bootable linux discs that can reset passwords for local accounts?

Edit: it seems that's what ntpasswd is...sorry I'd never heard of that before...

  On 03/02/2012 at 21:08, TheReasonIFailed said:

So the PC is just sitting there all by it's lonesome? How about having them download and run one of those bootable linux discs that can reset passwords for local accounts?

Edit: it seems that's what ntpasswd is...sorry I'd never heard of that before...

Yep, as a background story, pc got removed from the domain by one of guys who normaly did a bit of support now and then and as luck would have it the documented local password is not working. So what we're saying is without having a workable user account there's nothing that can be done remotely?

If that's the case then I best prepare myself to start guiding the user to try and run through the reset password utility I guess. :/

Hmmmm - its been a while since I have done this.. But yeah I do believe you have to have local admin account get it to join a domain. You can always create the computer account on the domain and setup any account to be able to join the domain from the domain side.. Normally any domain authenticated user can join 10 machines to a domain - unless you have correctly adjusted these permissions.

But to actually join the machine I do believe the account your logged in on the machine has to have local admin rights.. Other wise that would be pretty messed up you could login as guest or something on a machine - join it to a domain you have setup, and since domain admins are give local admin rights on the box that joins the domain you would now have an account on the box with full admin rights. That would be a bit of security issue!

Walk the user through reset of the local account - the tools are pretty simple any monkey could be walked through the process. Then once the box is joined just remotely change the local admin account. Problem is the fact that your showing the user the way to hack any machine - he could use this new learned skills for evil in the future ;) heheheh

Its not like any 8 year old can not look up this stuff on google in 12 seconds -- its just that users are normally dumber than 8 year olds when it comes to anything to do with a computer! So you hand hold them through learning such a dangerous thing - next thing you know you have all user doing it! Users are like monkeys learning how to use a stick to grab ants out of the ant hill -- they pass that **** on to the next monkey! ;)

If the machine has access to the network and you have admin rights, why not just log onto the machine and join it for him....there are quite a few utilities that allow you to stay logged in at the logon prompt provided you have the admin creds of the machine.

"provided you have the admin creds of the machine."

Thats the thing sc302 the way I read it there is NO local admin account he can use.

Now if the machine had been removed from the domain, and had at some point been logged in with domain admin account -- it would still be cached and as long as the machine is not connected to the network with domain access you could log in with domain admin rights account from cache and change the local password.

As to recovery options. If you have SA from microsoft -- you should have access to DART, which you could create a recovery tools disk with.. And you can have him reboot with that CD/DVD and you can remote it and recover/change the local password.

You would think most companies that are licensed would take advantage of the tools MS provides?

http://www.microsoft.../mdop/dart.aspx

  On 03/02/2012 at 22:28, BudMan said:

Walk the user through reset of the local account - the tools are pretty simple any monkey could be walked through the process. Then once the box is joined just remotely change the local admin account. Problem is the fact that your showing the user the way to hack any machine - he could use this new learned skills for evil in the future ;) heheheh

Its not like any 8 year old can not look up this stuff on google in 12 seconds -- its just that users are normally dumber than 8 year olds when it comes to anything to do with a computer! So you hand hold them through learning such a dangerous thing - next thing you know you have all user doing it! Users are like monkeys learning how to use a stick to grab ants out of the ant hill -- they pass that **** on to the next monkey! ;)

My exact fears..

  On 04/02/2012 at 13:28, sc302 said:

If the machine has access to the network and you have admin rights, why not just log onto the machine and join it for him....there are quite a few utilities that allow you to stay logged in at the logon prompt provided you have the admin creds of the machine.

Machine is connected to the network but no admin rights access as the passwords documented does not work for this 1 machine, so login into the actual machine is out. Will just proceed with pass reset on Monday and just move forward with that.

Thanks for all the responses and happy birthday Budman.. :D

Now this might be frown upon - but if you want to try the dart option where you can remote his machine and change the password using a MS tool -- just let me know (pm) and I might be able to send you the tools needed to create the disk :shiftyninja:

But to be honest if your a MS house you should have access to these tools already - I can walk you through how to do it with the remote control option. Its been awhile since I have need to do it. So I would have to verify - but I do believe when you do it he wouldn't actually see you resetting the password. And either way it would be official MS tools - so he might not comprehend that any 8 year old can grab the tools and do this on any box, etc.

^ agreed if they have local admin on the box they are trying to join!

The problem here is the account they are logged into the box with does not have local admin rights - so even if he has an account that has permissions to join the domain. He does not have the permissions to do that on the box he is trying to join.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Apple watchOS 26 to likely work on following list of devices by Hamid Ganji Apple's WWDC 2025 event is inching closer, where the iPhone maker is expected to reveal its latest software developments. This year's WWDC is focused on introducing a design overhaul to a wide range of Apple operating systems with a glass-like UI. The new UI overhaul takes most of its clues from visionOS, bringing a unified appearance to Apple devices. It has already been reported that Apple plans to change the name of its operating systems. So, we should expect to see watchOS 26 at the upcoming event, alongside iOS 26, iPadOS 26, and tvOS 26. The codename for Apple’s UI overhaul project is Solarium, which means a kind of glass that lights can go through. Here is the list of compatible Apple Watch models with watchOS 26: Apple Watch Series 6 Apple Watch Series 7 Apple Watch Series 8 Apple Watch Series 9 Apple Watch Series 10 Apple Watch SE (2nd generation) Apple Watch Ultra Apple Watch Ultra 2 Note that this is not Apple's official compatibility list, and the company might extend support to older Apple Watch models. However, given the previous records, the above models are more likely to get watchOS 26. Alongside these models, the Apple Watch Series 11, Apple Watch Ultra 3, and a new Apple Watch SE with plastic body will also receive watchOS 26 right off the bat. These models will drop in September next to the iPhone 17 series. While it was initially believed Apple would keep the upcoming UI overhaul to iPhones, iPads, and Mac devices, Bloomberg said the new UI also reaches watchOS and tvOS. However, the scope of changes on the watchOS are less likely to be significant. Yet little details exist about watchOS 26 and its features, but it's expected to support new watch faces and third-party shortcuts in the Control Center. Source: MacRumors
    • I probably use Messages two or three times a month. It’s Messenger and WhatsApp. I can’t be the only one?
    • I’m not sure interest free credit qualifies as a ‘discount’ 🤔
    • I am confused on how the demand for AMD CPUs is relevant to this discussion?
  • Recent Achievements

    • One Month Later
      EdwardFranciscoVilla earned a badge
      One Month Later
    • One Month Later
      MoyaM earned a badge
      One Month Later
    • One Month Later
      qology earned a badge
      One Month Later
    • One Year In
      Frinco90 earned a badge
      One Year In
    • Apprentice
      Frinco90 went up a rank
      Apprentice
  • Popular Contributors

    1. 1
      +primortal
      451
    2. 2
      +FloatingFatMan
      247
    3. 3
      snowy owl
      240
    4. 4
      ATLien_0
      196
    5. 5
      Xenon
      141
  • Tell a friend

    Love Neowin? Tell a friend!