1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

How to connect to domain back

Discussion in 'Networking' started by funmit, Jan 24, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. funmit

    funmit Thread Starter

    Joined:
    Dec 29, 2005
    Messages:
    7
    Hi,

    We have a small network of 7 computers and all are connected to a workgroup named MSHOME.
    Today new client came to our company and he bring his laptop.
    He wants to use our existing network and internet too.

    So I have changed his computer properties from domain to workgroup MSHOME.

    So now his laptop is no more connected to any domain and is in workgroup.
    No the client wants to connect to his company via VPN and wants his old login screen where in login dialog there was
    username
    password
    domain

    When i tried to agian change laptop's property to domain and tried to given old domain name it shows the following error message:

    A Domain Controller for the domain could not be connected.

    Ensure that the domain is typed correctly.

    If the name is correct, Click Details for the troubleshooting information

    Well this will obviously come as there is no domain exists in our network.

    Is there any other way that i can re-configure that laptop in domain and user can get the old login screen with domain name?
    form local profile or anyother way?

    Regards,
    Little Boy
     
  2. skinnywhiteboy

    skinnywhiteboy

    Joined:
    Jan 26, 2001
    Messages:
    2,069
    First Name:
    Bruce
    You should never remove a membership for a computer that you're technically not responsible for.....no matter what the client says. He'll need to go back to his office and have his Network Admin rejoin the computer to the domain while he's on the backbone of their network. There is no way around this either. When you logged him in under the new MSHOME, it probably created a brand new profile for him also, right??
     
  3. winterfrost

    winterfrost

    Joined:
    Nov 28, 2005
    Messages:
    120
    Not sure if this is still an issue...

    First, just like skinnywhiteboy said, removing the computer from a domain that you are not responsible for is a bad idea. For future reference, the domain/workgroup membership of his PC probably should have nothing to do with allowing him internet access (depending on your network configuration).

    He can still VPN into his work domain from the new local ("workgroup") profile if you set up the VPN connection again. If you don't know the VPN settings, you could attempt to copy his old profile over his new profile. This is by no means the proper way to move a profile, but should work temporarily, provided that he has local admin rights:

    - login as a local Administrator account which is not his domain ID or the local "workgroup" ID
    - Browse to C:\Documents and Settings\
    - Find the folder which corresponds to his new local profile. Rename it. To something else. This probably isn't necessary, but it's just a precaution.
    - Find the folder which corresponds to his old domain profile. Make a COPY of it, then rename the copy to the former local profile name. Don't rename his original domain profile or you'll cause even worse problems.

    e.g. Local (workgroup) profile is "C:\Documents and Settings\johns". Rename this to "johns.old". Domain profile is "C:\Documents and Settings\jsmith". COPY this to "C:\Documents and Settings\johns".

    - Login as his local account and it should load a copy of his old domain profile, including all VPN settings.

    Again, this will ONLY work if his local account had Administrator privileges, and this shouldn't be used as a method to permanently migrate a profile to a new user.
     
  4. StumpedTechy

    StumpedTechy

    Joined:
    Jul 7, 2004
    Messages:
    7,234
    Actually I am thinking their Domain Admin needs to be shot for giving anyone permission to remove the PC blanketly from the domain. We don't grant that right to the users on our Domain and its a required User ID and Password just to get it removed.

    Other than that point I agree with what the other 2 posted as you certainly do need to be on the domain in order for it to be added again. That profile renaming I don't think will work as one is a domain profile and the other is a workgroup and depending on permissions he is probably SOL.

    Once he is VPNed in he should be able to add it back onto the Domain though even doing that may cause its own issues until he is directly connected again.
     
  5. jmwills

    jmwills

    Joined:
    Sep 28, 2005
    Messages:
    3,477
    Beat me to comment StumpedTechy. If the user can unjoin from a domain, then more than likely he can join back to it.
    That SysAdmin needs to be fired.
     
  6. skinnywhiteboy

    skinnywhiteboy

    Joined:
    Jan 26, 2001
    Messages:
    2,069
    First Name:
    Bruce
    Their Network Admin is obviously inexperienced and doesn't know any better. I feel sorry for that company.
     
  7. winterfrost

    winterfrost

    Joined:
    Nov 28, 2005
    Messages:
    120
    Interesting. As far as I am aware you only require local admin rights on the system to change domain/workgroup membership.

    I have never heard of this, nor can I find any information on it. Is this a GPO or other registry setting? I know there is a "Join Workstation to Domain" user right, but I have never seen a "Prohibit Removal from Domain" setting.

    The fact that one is a domain profile profile and the other is a workgroup profile means nothing. By default, Administrators have full access to all profiles -- both NTFS and registry permissions -- so the profile rename will most certainly work if the local account he is using has local admin rights.

    That being said, the user obviously had an account with local admin rights if he was able to change the computer's domain membership. I assumed this was his domain account. Seeing as he was still able to login after his computer was removed from the domain, he obviously also had a local account as well. I thought it was logical that if his domain account had local admin rights, his local account probably had them as well, which is why I proposed the profile rename as a last-ditch effort.
     
  8. StumpedTechy

    StumpedTechy

    Joined:
    Jul 7, 2004
    Messages:
    7,234
    Yes but any Domain Admin that lets the users run around with even local admin rights really has these own problems brought upon themselves don't they?

    Since we don't grant them local admin rights we don't give them the access to remove it.

    Are you sure a domain profile and a local profile have NO differences in things like the NTUSER.dat and other key files that if they have problems may not allow for logging on as that user? I know profiles are VERY specific in alot of reguards and I don't know what a rename between local and domain profile would do to be honest.
     

    Attached Files:

  9. winterfrost

    winterfrost

    Joined:
    Nov 28, 2005
    Messages:
    120
    You might be surprised how many organizations (including very large ones) allow laptop users to have admin rights. Nearly every company I have worked for, from the smallest right up to a couple of Fortune 50 companies do this to facilitate remote support.

    Now, I'm all for restricting admin rights for regular users, so you don't have to convince me of the merits. The users on my network run with regular user rights. I just think it's unfair to damn a network administrator as inexperienced and saying s/he should be fired or shot without knowing the full context.

    As far as the profile migration goes, yes, it will most certainly work. I've done this sort of process manually at least 100 times, and as you can see in my sig, we are currently putting the finishing touches on a profile migration application, so I am speaking from experience. There aren't going to be significant differences between a local and a cached "domain" profile that would impact his operation.

    I tried to be clear in saying that what I proposed was not intended to be a permanent solution. It doesn't address NTFS and registry permissions (which is why Admin rights are required), nor some possible path issues. It was intended to get him logged-in to get the VPN connection he needed until he could get back to his network where tech support could resolve the situation properly.

    I wonder if we'll ever find out what happened! :)
     
  10. jmwills

    jmwills

    Joined:
    Sep 28, 2005
    Messages:
    3,477
    Play Devil's Advocaye for a minute. What is the biggest threat to your network? Outside or inside individuals? It's the latter and if you give everyone with a laptop Admin rights and they for some reason have ax axe to grind, chances are your network is going to be affected.
    I look at everything from a Security standpoint mainly becasue of who I work for so if you eliminate all possible known threats the bulk of your concerns then are directed to the unknown.
    It's not that we do not trust our people to do the right thing, we do, we just try to rpotect them from doing something stupid. Right now, USB ports and CD Drives are still allowed to be active. My guess is that within a year, they will not be except to be Admins.
    Just my .02
     
  11. StumpedTechy

    StumpedTechy

    Joined:
    Jul 7, 2004
    Messages:
    7,234
    Winterfrost I can understand remote uspport merrits as I actually worked on a team that delt with over 5,000 remote users who were using broadband and dial up and ISDN to connect in. I actually got to sit in while we talked about admin rights or not and in the ned we actually stripped it out. The reason being they did a pilot of 2 months with the users with admin rights and the call suport volume was 300% that of the users who were locked down.

    I am in agreement with jmwills on admin vrs non admin. I do however bow to your profile renaming knowledge as I try and stay away from that if at all possible because people are so finiky as to how their desktop and prefferences look.

    Since I am in a smaller company now and we are able to better control the rules we don't have anyone with admin rights. Anyone who needs to run something as admin gets the Runas utility but noone is able to go in and do things they shouldn't be.

    I too am curious to see how this all panned out.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/436804

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice