"The security database on the server does not have a computer account for this workstation trust relationship."
Windows Domain Issues
This is a fairly common issue with Windows 7 computers that somehow have corrupted domain settings. On occasion, this can be cause by a zealous Server Administrator who has deleted a computer Domain Account.
The first thing you do is check the Active Directory to make sure the Account for the computer is present and active. It is possible to disable the account or through whatever Group Policy your Server Administrator has enacted, the computer was disabled during an audit of Computers that may be Out of Compliance.
I have also run across the occasional issue where the account has become corrupt on the server and will not properly activate. When this happened the computer account must be disabled and deleted to make way for a new account.
The first thing you do is check the Active Directory to make sure the Account for the computer is present and active. It is possible to disable the account or through whatever Group Policy your Server Administrator has enacted, the computer was disabled during an audit of Computers that may be Out of Compliance.
I have also run across the occasional issue where the account has become corrupt on the server and will not properly activate. When this happened the computer account must be disabled and deleted to make way for a new account.
In ether case, the results for your end user are that the machine is no longer on the domain and you will need to fix this.
Now, the long way around is to log onto the local machine using a local administrator account. Remove the machine from the Domain, add it to "WORKGROUP," restart the machine, log back in with the same local administrator account, and then add the machine back to the domain.
You will be prompted for an Administrative account able to add and remove machines from the domain, and specify the important details needed to do so. When successful, the computer will give you a "Welcome to the domain." message and all will be right as rain. Reboot and you are ready to go.
In the background, this process will add a new computer to the Active Directory that will need to be managed in whichever Security Group your administrator has chosen. The machine will then be able to connect to the domain, you can log off the local administrator account, and have the user attempt using their Domain Account to log in.
There are, of course, faster ways of doing this by utilizing Power Shell commands, some minor hacking that requires far more work than necessary, and even some scripting that can do this seamlessly. If you're looking for those other methods, I would suggest you do a search for the "domain trust relationship" and try that.
What happens when you don't know the local administrator password? What happens when your Department has disabled the local administrator accounts to prevent someone from hacking them?What happens if the Group Policy locks down the local administrator account after 5 failed attempts at the password? What happens when the department hasn't documented the local administrator password for this machine? Well, you're screwed, right?
This is a case where you now must find a way to unlock the account and reset the password. This is exactly what happened to me.
There are several options for resetting the passwords to a locacl administrator account. You can buy software that does it, you can use some anonymous piece of freeware that advertises being able to do this, or you can find other tools that can do the job.
And just to throw an extra monkey wrench into everything, my Department has disabled USB ports so that you can't use USB drives. This is locked down at the BIOs level by security settings. Enjoy!
I chose to use a Linux LiveCD to get into an OS. Ubuntu has a tool called CHNTPW that is able to reset, enable, disable, and otherwise elevate local accounts to give help out. The tool can browse the windows files and make changes to the file that stores local account Access rights. Cool beans, right?
Installing CHNTPW on your LiveCD
This is not exactly accurate, but think of it as a temporary installation. When you shut down your LIveCD OS, you will lose any changes you made to the OS.
"All those moments will be lost in time, like tears in rain." ~ Roy Batty, Blade Runner
Keeping this is mind, you must first enable the OS options to allow use of Opensource tools written for this purpose. This is found in System Settings under the Software and Updates Control Panel. Enable the option for Universal Software and Updates. These options are enabled when you install Ubuntu to your drive, but disabled in the liveCD.
"All those moments will be lost in time, like tears in rain." ~ Roy Batty, Blade Runner
Keeping this is mind, you must first enable the OS options to allow use of Opensource tools written for this purpose. This is found in System Settings under the Software and Updates Control Panel. Enable the option for Universal Software and Updates. These options are enabled when you install Ubuntu to your drive, but disabled in the liveCD.
Now here comes the part everyone loves about Linux.. Command Lines. You will need internet access, so make sure the computer is connected to the internet. Open up your Terminal - Ctrl+Alt+T and type in this command:
"sudo apt-get update" and press enter. You shouldn't be prompted for root elevation, because its a LiveCD and the "sudo" command elevates your permission.
THis comOnce this completes, you can download the CHNTPW package by using this command:
"sudo apt-get install chntpw"
Once this process has completed, you are ready to locate your user profile information.
Using CHNTPW on your LiveCD
As I pointed out, we are operating in a LiveCD environment so all of your changes are temporary. We just gave the OS permission to download the updates and software we will need and we installed CHNTPW. Now we will need to gather information from your Windows drive.
Open your Hard Drive and locate the SAM file - it should be at Windows/Windows/System32/Config/
Open your Hard Drive and locate the SAM file - it should be at Windows/Windows/System32/Config/
Right click on the SAM file and select Properties. You will need to enlarge the screen, but it will have the full location of the file. Media/Windows/Windows/System32/Config/... There may be some variation with this address, depending on your Windows 7 Install, - select this and copy, you will need it, unless you want memorize it and type by hand. You can, otherwise, close out your drive.
Now open up your terminal and we are going to select the file directory by using the CD command.
Type:
"cd /Media/Windows/Windows/System32/Config" and press enter.
The easier way is to simply type "cd" and paste the folder address by hitting Shift + Insert or by using the paste command.
Alternatively, If you're typing the directory out, you can use the "cd" command and small chunks of the file directory at a time. You could do it this way:
"cd /Media/Windows/" enter
"cd /Windows/System32/config" enter
Alternatively, If you're typing the directory out, you can use the "cd" command and small chunks of the file directory at a time. You could do it this way:
"cd /Media/Windows/" enter
"cd /Windows/System32/config" enter
This CD command will "change" to the "directory" where your SAM file is located and you can run the CHNTPW program.
Type:
"sudo chntpw SAM"
and it will open the program and give you options to make changes to the Administrator Account. It will also list the other Administrator accounts if there are any.
If you use the specific command
"sudo chntpw -u Administrator SAM"
You will be able to make changes to the Administrator account. If your local administrator account has a different name, use that name instead.
I ran into a permission error on one of the machines I tried this on. If you have this issue, you will need to go back to the SAM Properties screen and change the permission to Read and Write. Once this is done, the command works.
I ran into a separate problem on a 32bit Windows 7 install where the SAM file was "sam" all lower-case! This command is case-sensitive so make sure you type the folder and file names as they appear in the directory.
The CHNTPW options are listed depending on the changes needed to make.. Select the ones you will need. 1 will remove the account password, meaning you can leave the password box blank to log in. When you are done, type q to quit. When you are prompted to write to hive, select Y for yes. When done, type exit to close out of terminal and shut down to close out of the LiveCD Environment.
Some of the other options include enabling the default Administrator account if it has been disabled. You can elevate other local user accounts to an Admin and enable any accounts that were disabled due to incorrect logins earlier.
At this point, we are done with the LiveCD and we can shut down and reboot into Windows 7. Mistakes in capitalization, syntax, may result in failure and shutting down LiveCD means you will have to go back through these steps again. Make sure you are done before you Shutdown.
Some of the other options include enabling the default Administrator account if it has been disabled. You can elevate other local user accounts to an Admin and enable any accounts that were disabled due to incorrect logins earlier.
At this point, we are done with the LiveCD and we can shut down and reboot into Windows 7. Mistakes in capitalization, syntax, may result in failure and shutting down LiveCD means you will have to go back through these steps again. Make sure you are done before you Shutdown.
Fixing the Windows 7 Domain Trust Issue
Reboot the computer into Windows and use the blank password to get into the local administrator account. Once you have logged in, make sure you reset the password.
Fixing Windows 7 domain issues means going into the System Control Panel, changing the Domain to "WORKGROUP," restarting the computer, and then adding the computer back to the domain.
Once you have added the computer to the domain, you will need to reboot and try your domain account to verify it is working correctly.
With a working Local Administrator account, this normally would take 5-10 minutes. With the LiveCD Method, it may take about 30 minutes. So make sure to take the time to familiarize yourself with the Distro you intend to use.
Fixing Windows 7 domain issues means going into the System Control Panel, changing the Domain to "WORKGROUP," restarting the computer, and then adding the computer back to the domain.
Once you have added the computer to the domain, you will need to reboot and try your domain account to verify it is working correctly.
With a working Local Administrator account, this normally would take 5-10 minutes. With the LiveCD Method, it may take about 30 minutes. So make sure to take the time to familiarize yourself with the Distro you intend to use.
I had pondered this may also allow you to remove a drive from a computer and edit the SAM file from another machine. But decided to just take care of the business at hand.
I used Ubuntu 16.04 LTS to perform this, but you can use other flavors such as Linux Mint. Once I have more free time, I plan to add screenshots. If you want a closer step-by-step account of doing this, you will need to read several different articles. There may be a better one out there, but I haven't found it yet!
