Cannot log on after changing from domain to workgroup

[Brad Zehring]

I've done something fairly stupid with a Dell laptop running Windows
2000 Professional.

My user name was configured to log in using a domain name, e.g.,
'MY_DOMAIN'.

I wanted to connect the machine to my local workgroup in my home office.

I changed (through Control Panel/System) the machine configuration to
log in to the same user name, but to a local workgroup, i.e., 'OFFICE',
rather than the previously configured domain.

After I reboot the machine and typed in my user name and password, W2K
responded with a dialog:

"The system could not log you on. Make sure your User name and domain
are correct, then type your password again..."

I'm sure (?) there's some relatively simple way to tell the machine to
log on to the domain rather than the workgroup at this point, but I'm
switched as to what it might be.

Help appreciated.

 

[Pegasus \(MVP\)]

I've done something fairly stupid with a Dell laptop running Windows
2000 Professional.

My user name was configured to log in using a domain name, e.g.,
'MY_DOMAIN'.

I wanted to connect the machine to my local workgroup in my home office.

I changed (through Control Panel/System) the machine configuration to
log in to the same user name, but to a local workgroup, i.e., 'OFFICE',
rather than the previously configured domain.

After I reboot the machine and typed in my user name and password, W2K
responded with a dialog:

"The system could not log you on. Make sure your User name and domain
are correct, then type your password again..."

I'm sure (?) there's some relatively simple way to tell the machine to
log on to the domain rather than the workgroup at this point, but I'm
switched as to what it might be.

Help appreciated.

There is a very simple way: Talk to your network administrator
and ask him to re-register your machine on the office domain.
Alternatively, ask him to set up a local account for you.

 

[Enkidu]

I've done something fairly stupid with a Dell laptop running Windows
2000 Professional.

My user name was configured to log in using a domain name, e.g.,
'MY_DOMAIN'.

I wanted to connect the machine to my local workgroup in my home office.

I changed (through Control Panel/System) the machine configuration to
log in to the same user name, but to a local workgroup, i.e., 'OFFICE',
rather than the previously configured domain.

After I reboot the machine and typed in my user name and password, W2K
responded with a dialog:

"The system could not log you on. Make sure your User name and domain
are correct, then type your password again..."

I'm sure (?) there's some relatively simple way to tell the machine to
log on to the domain rather than the workgroup at this point, but I'm
switched as to what it might be.

Unfortunately there isn't. You can connect to a single Domain or a
Workgroup. You cannot easily switch between the two.

The user/password that it is expecting is the user/password that was
used on the initial OS install, that is the *Local* Adminstrator
password.

It depends how the OS was installed as to how you get out of this. If
you do not have the local administrator password, it is likely that
the OS will need to be reinstalled.

If the OS was installed by your IS Dept, they may know the Local
Administrator password. You should take the machine to them.

This is quite a common trap - many people fall into it.

Cheers,

Cliff

 

[Pegasus \(MVP\)]

Unfortunately there isn't. You can connect to a single Domain or a
Workgroup. You cannot easily switch between the two.

The user/password that it is expecting is the user/password that was
used on the initial OS install, that is the *Local* Adminstrator
password.

It depends how the OS was installed as to how you get out of this. If
you do not have the local administrator password, it is likely that
the OS will need to be reinstalled.

If the OS was installed by your IS Dept, they may know the Local
Administrator password. You should take the machine to them.

This is quite a common trap - many people fall into it.

Cheers,

Cliff

I'm afraid your reply contains a couple of serious errors.

"You can connect to a single Domain or a Workgroup. You cannot
easily switch between the two."

Yes, you can easily switch between the two - just select the appropriate
domain name at logon time: the Office domain, or the name of your
PC. It's in the box right below the password.

"It depends how the OS was installed as to how you get out of this. If
you do not have the local administrator password, it is likely that
the OS will need to be reinstalled."

No, it does not have to be reinstalled. There are several non-destructive
ways of getting into a Win2000 installation, even if the admin password
is lost.

 

[Enkidu]

I'm afraid your reply contains a couple of serious errors.

"You can connect to a single Domain or a Workgroup. You cannot
easily switch between the two."

Yes, you can easily switch between the two - just select the appropriate
domain name at logon time: the Office domain, or the name of your
PC. It's in the box right below the password.

Um, yes, I think I'm correct. You can connect to a Domain or *the
machine*, if the machine is joined to a Domain. If, as he has done,
the machine has been joined to a Workgroup, it will no longer be a
member of the Domain.

"It depends how the OS was installed as to how you get out of this. If
you do not have the local administrator password, it is likely that
the OS will need to be reinstalled."

No, it does not have to be reinstalled. There are several non-destructive
ways of getting into a Win2000 installation, even if the admin password
is lost.

OK, I have used a utility myself to reset the local administrator
password. Good point. But many shops would consider a machine that has
been dis-joined from a Domain as being compromised, and it would need
to be re-imaged.

Cheers,

Cliff

 

[Pegasus \(MVP\)]

Um, yes, I think I'm correct. You can connect to a Domain or *the
machine*, if the machine is joined to a Domain. If, as he has done,
the machine has been joined to a Workgroup, it will no longer be a
member of the Domain.
OK, I have used a utility myself to reset the local administrator
password. Good point. But many shops would consider a machine that has
been dis-joined from a Domain as being compromised, and it would need
to be re-imaged.

Cheers,

Cliff

Now why would a machine that's been moved off a domain be
compromised? Machines do not suffer any damage by getting
disconnected from a domain - they just need to be re-registered!
Furthermore, the user can't even log on and do any damage -
hence his post!

The purpose of these newsgroups is to give posters factual
information. Suggesting that a machine that's been disconnected
is now compromised and that it needs to be rebuilt is, in my opinion,
grossly misleading. The same with the admin password: You knew
that there are tools to reset passwords, yet you suggested that a
rebuild could be required. It seems that what you say is not
always in agreement with what you know.

 

[Enkidu]

Now why would a machine that's been moved off a domain be
compromised? Machines do not suffer any damage by getting
disconnected from a domain - they just need to be re-registered!
Furthermore, the user can't even log on and do any damage -
hence his post!

We have people who take laptops out to clients sites. They sometimes
join their machines to the client Domains although we tell them not
to. Since we cannot guarantee the security of the clients Domains,
these machines are considered compromised and are re-imaged. All
machines which have been connected outside the network are supposed to
be checked before they are reconnected to the Domain. This is as a
result of *experience*. People have been out to client sites for six
months or more, and not patched their machines or updated their AV in
all that time, and brought back viruses. We have not suffered a
Domain-wide infestation, and I attribute that in part to this policy.
I don't believe that this an extreme policy - a few of the clients
have much stricter rules than this.

Pegasus, if you connected your machine to my Domain, (without actually
joining it) would you consider it to be safe when you connected it to
your own Domain? I suggest not. You cannot be sure that my Domain is
safe! The same also applies, only more so, to people who have "home
LANs".

The purpose of these newsgroups is to give posters factual
information. Suggesting that a machine that's been disconnected
is now compromised and that it needs to be rebuilt is, in my opinion,
grossly misleading.

No, it is simple security, IMO. However the security policies of his
Domain may mean that he could be reconnected without being reimaged.

The same with the admin password: You knew that there are tools
to reset passwords, yet you suggested that a rebuild could be required.

I had forgotten, temporarily, that the local admin password could be
reset. It's not something we often do.

It seems that what you say is not always in agreement with what
you know.

Blame it on fading memory, not on any hidden agenda. <grin>

Cheers,

Cliff

 

[Pegasus \(MVP\)]

We have people who take laptops out to clients sites. They sometimes
join their machines to the client Domains although we tell them not
to. Since we cannot guarantee the security of the clients Domains,
these machines are considered compromised and are re-imaged. All
machines which have been connected outside the network are supposed to
be checked before they are reconnected to the Domain. This is as a
result of *experience*. People have been out to client sites for six
months or more, and not patched their machines or updated their AV in
all that time, and brought back viruses. We have not suffered a
Domain-wide infestation, and I attribute that in part to this policy.
I don't believe that this an extreme policy - a few of the clients
have much stricter rules than this.

I see your point but it seems irrelevant to the OP's question.
What you first suggested was: "Since you've taken your machine
off the domain, it must be considered compromised". What you
might have wanted to say is "Since you have connected your
machine to another network, it could be compromised". That's
two entirely different things.

Pegasus, if you connected your machine to my Domain, (without actually
joining it) would you consider it to be safe when you connected it to
your own Domain? I suggest not. You cannot be sure that my Domain is
safe! The same also applies, only more so, to people who have "home
LANs".

I connect my laptop to lots of domains. It has the latest virus and
firewall protection. I have never had the slightest problem, neither
with hackers or with viruses.

No, it is simple security, IMO. However the security policies of his
Domain may mean that he could be reconnected without being reimaged.
I had forgotten, temporarily, that the local admin password could be
reset. It's not something we often do.
Blame it on fading memory, not on any hidden agenda. <grin>

Cheers,

Cliff

We can probably summarise our discussion like so:

- Plugging an office laptop into a home network can
compromise a machine. The risk is reduced by having
a firewall and a virus scanner.
- To re-enable the machine, the OP needs a local account/
password, or his network admin must re-register the
machine on the domain.
- Local passwords can be reset if you have the right tools.
There is no need to rebuild the machine.

 

[Enkidu]

We can probably summarise our discussion like so:

- Plugging an office laptop into a home network can
compromise a machine. The risk is reduced by having
a firewall and a virus scanner.
- To re-enable the machine, the OP needs a local account/
password, or his network admin must re-register the
machine on the domain.
- Local passwords can be reset if you have the right tools.
There is no need to rebuild the machine.

Fair enough, though my security policies would be tougher than yours I
think.

Cheers,

Cliff