First month as a SysAdmin... Deployed a Computer, It's not connected to the domain and the User can't get in ... I think I F****ed up

Posted by One_Stranger7794@reddit | sysadmin | View on Reddit | 311 comments

So I've deployed a laptop to someone several states away. While it was in transit, my boss implemented the LAPS process. Because this laptop was in transit when the GP would of been pushed, it doesn't have the LAPS set up. The user called me saying that when they try to log in, they get the message “the security database on the server does not have a computer account for this workstation trust relationship” I'm not sure why, it was part of the domain when it was shut down and shipped. I'm currently looking at the computer in FortiGate, and it has a whole new computer name (self assigned) it looks like it just completely did not save any of the configuration I set up before I shipped it... I think this was because I used a local admin account to set it up, added the users account, and then deleted the local admin account so it wouldn't appear on the log in screen. Anyway, so I have a situation where the user is a few hours away, I can't remote in to their system at all, I can't use LAPS to get in, and the local admin account I presume is gone/inaccessible because of what I did... Did I brick this laptop? Is the only thing to do to have him sent it back and start from scratch? Is there anyway way he can log in with any account at all on the laptop? I have the computer name and IP from Fortigate, but I can't ping their systems?? I just came from a password reset and turn it off, turn it back on environment... no idea how to deal with this, does anyone have any ideas?? PS: WORST case Ontario one of his colleagues quit and left the user in question his laptop to return to HQ, which he hasn't done yet so I've asked him to just log in on and use that for the time being... TL;DR: I shipped a computer far away that doesn't have a trust relationship with the domain so the user can't log in, and I deleted the local admin account (why? it seemed like a good idea at the time?) and LAPS wasn't pushed to it yet so can't use that either. ... Is there any way for me to avoid the embarassment of admitting I can't figure out how to log in this user and have my first official piece of mail with this company be a laptop I had to have someone overnight to me because I borked it??

Reply to Post

Reply

311 Comments

[-]

Nonstop_norm@reddit

You should have a local admin always for a break glass emergency like this. Not the built in admin though, that is a security risk. What I personally do is image, create a dummy (non-admin) user, create the true local admin from there, and then safely delete my dummy user after I have logged in as the user once.

Reply

[-]

One_Stranger7794@reddit (OP)

This is a good idea. For the local only admin, do you fully configure it to be local only ie you just save the password somewhere on your end and it's not connected to the domain at all?

Reply

[-]

Nonstop_norm@reddit

Correct and sorry for the delay getting back to you. it is fully local only. Has no tie or permission to the domain. So at very worst if someone guessed the password the most they could do is destroy one machine and nothing else. ANd there have been a few times, with Duo, I was glad to have it.

Reply

[-]

One_Stranger7794@reddit (OP)

Thanks for the reply! I ended up doing that, its part of my new deployment process now. Burnt once 3x shy haha

Reply

[-]

Nonstop_norm@reddit

Hey! You learned your lesson. That can't be said for everyone in this industry. Good on you.

Reply

[-]

x2network@reddit

It’s fine. You are still new

Reply

[-]

One_Stranger7794@reddit (OP)

Could of been much worse, and lessons have been thoroughly learned

Reply

[-]

Nova_Nightmare@reddit

You need to have a local account on all remote machines. Not for any other purpose but for troubleshooting these kinds of issues. This should be part of the process. User cannot connect to the domain, last account should be remembered as regards login information, so that a remote user could get in, in airplane mode or if they had no internet at home. Second, communication. If your boss issued such a change to the domain while a machine was in transit without it getting new settings, that's a communication problem. That needs to be fixed. Beyond that, I don't think your machine is bricked. Worse case scenario is shipped back, connected again or re-configured. To me, bricked is a dead machine. It's usually much easier to fix these issues for on site devices than remote devices.

Reply

[-]

One_Stranger7794@reddit (OP)

I have them sending it back, should be here this morning hopefully I can deploy it and have it out of the door by lunch today. Yeah honestly what I did the first time was a masters class in what *not* to do. Delete the local admin account, didn't make a local backup account on top of that, did not make sure that the users profile was cached on the machine for local log ins, and did not install unattended RMM software before I shipped it. Well, I won't be doing any of those things again.

Reply

[-]

temeyers@reddit

Your remote users are still hybrid joined?

Reply

[-]

Palepimp@reddit

Have them unplug the ethernet cable from the machine or disconnect from Wi-Fi. Should be able to log in with the user you set up. Usually with the error message you have, you would remove the computer account in your active directory, and then login as a local user again on the computer you gave them, then rejoin the domain using that local user. However I think you're going to have trouble since you deleted your local admin account. Not a good move there.

Reply

[-]

One_Stranger7794@reddit (OP)

They are sending it back, live and learn.

Reply

[-]

Izual_Rebirth@reddit

lol a “fuck up” like this would be a god send these days for me compared to what I usually have to deal with. Others have answered the technical side. I’ll answer the people side. Don’t worry about it. If this is the worst mistake you make you’ll be fine.

Reply

[-]

One_Stranger7794@reddit (OP)

thanks

Reply

[-]

Izual_Rebirth@reddit

How did it go?

Reply

[-]

One_Stranger7794@reddit (OP)

Like 95% of people said here, it wasn't a big deal. The person most freaked out about this was me, I told my manager about it and his attitude was 'well if there's no problem why are you wasting my time talking about it'. So yeah... much ado about *almost* nothing. Still I'm kind of glad it happened, it was a good wake up call... if I'm going to be a sys admin I have to have a much clearer understanding of the tech. processes I will be setting up, and need to come up with formalized/standardized procedures or else this is going to keep happening. And it was a kind of nice way to meet the community, I'm still blown away that out of the hundreds of comments only 2-3 decided to be rude/unhelpful

Reply

[-]

Salty1710@reddit

> and then deleted the local admin account so it wouldn't appear on the log in screen. ![gif](giphy|pPhyAv5t9V8djyRFJH|downsized)  I don't know what to tell you if you don't have a backdoor to get into the machine with. I know it's not helpful, but it needs to be said. Can they plug an eithernet cable in and does the machine check in through the firewall using the VPN? Assuming it's set to connect on startup?

Reply

[-]

silentstorm2008@reddit

> If anyone is curious, you just need to change the registry key for the last logon, and that way it will say whatever you want it to say. HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI You can either clear all the information, or put whatever you want to make it easier for the enduser. Used to do this all the time at an MSP where I log in afterhours to a clients pc and then in the morning they couldn't get in, because they didn't know how to switch user. Got tired of that crap, so I took the extra 30 seconds and opened that reg path to change it back to the end users' info. Make sure to include the domain if on the domain

Reply

[-]

Cam095@reddit

you’re a savior. the amount of teachers who can’t log in after i had to use the admin account is ridiculous. like you have two options rn, Administrator and Other User.. what are you

Reply

[-]

geekywarrior@reddit

"I don't know my user name, it's just always there"

Reply

[-]

da_chicken@reddit

That's why you enable the policy that prevents the system from saving the last logged on user.

Reply

[-]

SomeWhereInSC@reddit

good idea...

Reply

[-]

Obvious-Water569@reddit

Teachers are a fucking nightmare to support. Easily the worst part about working IT in a school.

Reply

[-]

pwnedbygary@reddit

Guess I know where to never get hired then lmao

Reply

[-]

Mysterious_Yard3501@reddit

I was a one man MSP for (2) K12 schools. Loved it. Always something new. Never anything hard. And the kids loved seeing me and started calling me Batman for some reason 😂

Reply

[-]

pwnedbygary@reddit

Cause you came in and saved the day most of the time?

Reply

[-]

tdhuck@reddit

Clicking 'other' is the easy part. Knowing what their username is...that's the hard part.

Reply

[-]

Mysterious_Yard3501@reddit

Mine always use their full email address lol

Reply

[-]

dreamfin@reddit

1000x this! Only way to have users to learn their username is to disable remember last user logged in from get go.

Reply

[-]

LotusTileMaster@reddit

OR get a password manager and make the users use that.

Reply

[-]

w1ten1te@reddit

A password manager that they can access from the Windows login screen?

Reply

[-]

LotusTileMaster@reddit

Or from their phone?

Reply

[-]

Mindestiny@reddit

In my experience, most people dont even *read* it. They just start typing their password. We even include the instructions on a paper tucked into the replacement laptop, and most users straight up throw it away then reach out to IT going "cant login, wat do?" where someone has to spoonfeed them the words on the screen.

Reply

[-]

Technical-Message615@reddit

Your laptop contained printed instructions. Please retrieve them from the bin, uncrumple them, and follow them. If you can't make do with that, please for the love of God, reconsider your vocation.

Reply

[-]

ObeseBMI33@reddit

I administrate this classroom.

Reply

[-]

deltashmelta@reddit

<administers concussion>

Reply

[-]

SomeWhereInSC@reddit

https://preview.redd.it/71d5zhizyk3d1.png?width=814&format=png&auto=webp&s=874cbda255f8e37d703a24d1a8bafb14a667747b So that LogonUI has a lot of keys, are you just deleting the whole thing to gert a blankl username?

Reply

[-]

silentstorm2008@reddit

Not all..just look at the ones that have user data... display name and username. Someone else said w11 requires changing the user id too

Reply

[-]

theborgman1977@reddit

Wrong you have to change 2 settings and one of them is GUID of the user you want to show last logged. It is slightly differant than Win 7.

Reply

[-]

223454@reddit

At my last job most of the staff thought only one person could use a computer. So if they saw another name on the screen they assumed all their stuff had been deleted. I had a VIP yell at me in an absolute panic because I had deleted all their stuff (I had to sign into their computer one time to fix something). After that I made sure to put the log in screen back if I had to log in. I also tried to educate them as much as I could. They were decades behind in their knowledge.

Reply

[-]

CyberPrag@reddit

Yeah I used to do the same but we took backup of the key mentioned and once done we simply restore the registry which gives the users their own login screen

Reply

[-]

fedtotheflames@reddit

An issue I’ve encountered that I never considered there was a fix for. Thanks for the tip

Reply

[-]

da_chicken@reddit

There's a group policy for it.

Reply

[-]

you_got_this_shit@reddit

I'm just a subadmin so I'm not allowed to change GPO's, but I do have remote access to registries. Definitely a handy tip :)

Reply

[-]

da_chicken@reddit

If it's generating tickets, bring it up. Making logging in less confusing at the cost of having to type in your username is not a big cost, especially if some of the tickets are people forgetting their Windows username when anybody else uses their computer. Most enterprises enable the GPO because it gives away the username of the last user. It's (slightly) more secure and more private.

Reply

[-]

KnowledgeTransfer23@reddit

> Most enterprises enable the GPO because it gives away the username of the last user. Does it still? I've only seen it show the person's name, not username. I think I've seen this behavior on both Win10 and 11. Maybe there's another policy set that controls this that I don't know about?

Reply

[-]

da_chicken@reddit

Hm, you may be right. But that's not necessarily *better* since you're revealing the full name of an employee.

Reply

[-]

you_got_this_shit@reddit

Good point, thanks!

Reply

[-]

One_Stranger7794@reddit (OP)

THANK YOU!!! Me trying to do exactly this (incorrectly) was what caused this whole thing. Saving your comment and adding it to my reference material!

Reply

[-]

bearded-beardie@reddit

Can also be done with GPO

Reply

[-]

Wild_Swimmingpool@reddit

This is where my head just went too. Just toss it into group policy and let it go.

Reply

[-]

bearded-beardie@reddit

We apply the about 95% of the CIS benchmark so don't ask me where it is in the like 500+ settings in there.

Reply

[-]

SithLordHuggles@reddit

IIRC it’s Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Interactive Login: Do Not Show Last Logged On User. Something like that

Reply

[-]

log1k@reddit

You just reminded me of my terrible MSP days.. I hated those stupid little calls. My god, do you not know how to switch users?

Reply

[-]

anomalous_cowherd@reddit

Of course not. That's what users *do*.

Reply

[-]

Rawme9@reddit

Just wanna add that I could not get this to work properly on Windows 11 - found the registry keys and they'd *technically* work as in you could enter the credentials of the account you changed the registry to and it would work, but the login screen would just show a gray key

Reply

[-]

silentstorm2008@reddit

Are you only changing the username? That worked on w10. Maybe in w11 you have to also put in the SID?

Reply

[-]

Rawme9@reddit

I did do the SID as well (which I think you're right that it's needed) - as far as I could tell there were 4 registry keys you had to change in 11. I was trying to script it so it'd be easier for users but couldn't ever get it to work manually

Reply

[-]

Sir_Badtard@reddit

You can also set the network ID in advanced system settings to achieve the same thing. I'm not saying one way is better than the other.

Reply

[-]

humptydumpty369@reddit

Brilliant. Gotta be smarter than the end-user!

Reply

[-]

Godcry55@reddit

Jesus, if you don’t know how to set up a domain joined computer then use google/co-pilot dude.

Reply

[-]

One_Stranger7794@reddit (OP)

Not so much the case as a lot of cross interaction... I shouldn't of removed the local admin account... the user should be able to hardwire into the companies network, which they say they cant... LAPS was pushed while this one computer wasn't available, so although using LAPS is the new way to handle this apparently it won't work for this... I did make a mistake, but this is also a confluence of other things. Additionally, if you read the other comments there may be more going on here.

Reply

[-]

Godcry55@reddit

My apologies, I will try and assist with a possible solution when I have time today if you’d like!

Reply

[-]

One_Stranger7794@reddit (OP)

No I'm sorry was just being salty, I was projecting my anxiety at having to call someone pretty senior in the company and tell them I made a mistake and I need their laptop back onto you. Fyi to resolve I did just ask them to send it back in... they were unhappy, but polite. I guess I had a fantasy of being perfect 100% of the time for some reason I just needed a reality check

Reply

[-]

Godcry55@reddit

You will always make mistakes in IT. Don’t sweat it dude

Reply

[-]

One_Stranger7794@reddit (OP)

Haha thanks, that's a hard lesson to internalize but I'm working on it

Reply

[-]

One_Stranger7794@reddit (OP)

It is set up to use the VPN for network drives and stuff, but configured to connect through the domain on any connection. I guess my question is, I originally set up the admin account using the oobe\\ Bypass NRO, went and configured everything and then removed that account. So that would be my only backup admin, there isn't some other built in local admin account I quess? And just to confirm, the reason these config changes dissapeared is because I removed the local admin account I made them on? I was under the impression they would remain persistent for all other users on the client even if the account that made them was no longer there... I'm guessing this is some flawed logic, and an expensive way to discover that.

Reply

[-]

Stokehall@reddit

Is bitlocker enabled? If so can you access the bitlocker encryption key? If you can disable bitlocker, then try the following: Post user a flash drive with any windows install on it (preferably the one you installed) Talk then through booting into the flash drive Tell them to press shift + F10 Get them to enter the following: cd /d D: If the command returns The system cannot find the drive specified, then that letter isn't right; try C and continue up the alphabet. Once you find the right drive, you'll want to change the directory again using the cd command. Type this line to access the System32 folder: cd Windows\System32 move d:\windows\system32\utilman.exe d:\windows\system32\utilman.exe.bak copy d:\windows\system32\cmd.exe d:\windows\system32\utilman.exe Restart the machine On login get them to hit the utility manager icon and it should open CMD get them to type: net user administrator /active:yes Then you are in. And you can reverse all these bits.

Reply

[-]

One_Stranger7794@reddit (OP)

Thank you for this! But as others mentioned, there is less that a 5% chance this user will be able to do this, and a 95% chance my boss will get a frustrated email from them. This is supremely useful though, I'm adding it to my reference material thank you!

Reply

[-]

Stokehall@reddit

lol I work in a software company so my users are above average IQ but even when I worked for a MSP, if it meant saving days of downtime some users were very happy to spend time doing a task like this, just have to set their expectations.

Reply

[-]

One_Stranger7794@reddit (OP)

This user has a hotswap with him already, so his motivation to fix his new system is close to nil. I was actually considering asking them to facetime with me and point the camera at the screen so I could see what they were doing/direct more effectively haha

Reply

[-]

Salty1710@reddit

... I can't *imagine* walking a user through this.

Reply

[-]

Stokehall@reddit

I have, normally done over a video call, but if you can, might save a visit or a weeks downtime to send the laptop back and redeploy.

Reply

[-]

One_Stranger7794@reddit (OP)

Oh that's my one saving grace. In this case, the user already has 2 systems, the borked one I deployed and a working one their coworker who abruptly quit left and didnt return to HQ, which they are using now without issue

Reply

[-]

joshghz@reddit

But if you *did*, the user would feel like they're the protagonist in a bad movie.

Reply

[-]

One_Stranger7794@reddit (OP)

".... I'm in."

Reply

[-]

DOUBLEBARRELASSFUCK@reddit

If you've got them for their whole 8 hour work day, should be fine. Good luck getting all of those slashes in the right direction.

Reply

[-]

Seedy64@reddit

I can and have done so many times. It takes the patience of a saint, but can definitely be done.

Reply

[-]

damik@reddit

"CD windows back what? I don't have a Windows CD. The windows looks like it is already installed! Fix it already!"

Reply

[-]

NebraskaCoder@reddit

😂

Reply

[-]

Meanee@reddit

That Utilman hack was patched quite a while ago

Reply

[-]

in50mn14c@reddit

You're overthinking all of this. You configured the whole system for domain based authentication, but if the user is remote they're gonna have to connect to their wireless and also authenticate via VPN. If they can't see the DCs, they can't login and will get the domain trust fail message.

Reply

[-]

boli99@reddit

OPs says that the computer name has changed OP also said that the error they get is '*the security database on the server does not have a computer account for this workstation trust relationship*' that sounds more like 'i can talk to the DC but it doesnt have an account for me' than 'i can't see a DC' i think the user might have 'helpfully' tried a system restore, and restored to a time prior the machine being fully set up - because that could bring back an original self-assigned computer name (*...and it might even have brought back the local admin account that he had deleted too....*)

Reply

[-]

Sufficient-Class-321@reddit

If the user has done this, then OP can in theory pull the ol' switcheroo and say it would have been fine if user didn't factory reset the machine "was any of this ethical? hell no...."

Reply

[-]

One_Stranger7794@reddit (OP)

As much as I would like to, I doubt this user knows what restore points are or how to use them

Reply

[-]

boli99@reddit

then if you work out what caused a change of computer name... i'd love to hear what it was. because that doesnt happen by accident.

Reply

[-]

Intelligent_Recipe64@reddit

Agreed. Pretty much this.

Reply

[-]

greet_the_sun@reddit

AD users need connectivity to a domain controller when they first login to a pc to cache the profile and authenticate, if the user is going to be remote then either: 1. You need to login to the laptop as that user in the office first and then reset their password. 2. Have a process in place for them to connect to the vpn before windows login. 3. have a way to access it remotely and unattended like screenconnect/teamviewer so they can just connect it to wifi/wired and you can remote in, login to windows connect to vpn and then have them login to load the profile.

Reply

[-]

One_Stranger7794@reddit (OP)

Well... I'll take this as a lesson then. I am discovering today that we do infact have unattended software I could of put on there, but I didn't ask so I wasn't told.. Will certainly be doing that for the next one. Ahhh so it's sounding like I need to actually get my hands on this system

Reply

[-]

KnowledgeTransfer23@reddit

> I'll take this as a lesson then. Since you're amenable to learning lessons, please don't kill me for this one: it's "could have" not "could of." You've made that mistake multiple times on this thread.

Reply

[-]

One_Stranger7794@reddit (OP)

I won't lie I am in the salt today, but I do want to use the correct words so I appreciate it

Reply

[-]

greet_the_sun@reddit

If you're installing applications by hand still then at the very least you should have a network directory or usb stick with all of those installers available or some kind of documentation of what's needed, if none of that exists and your boss just told you to "setup a laptop" then he's failed to provide you the info you need to do your job. Long term you should probably look into GPO's for software installation, this is stuff that's pretty easy to automate.

Reply

[-]

clubley2@reddit

Why did you need to bypass network OOBE? That's only needed for home machines. If you select setup for work and school then click sign in options and local domain join you won't need the workaround. Unfortunately there is no way to repair the trust relationship without removing the device from the domain and re-adding it. What remote support software do you use? The RMM tool I use has a remote command prompt that runs as admin. I have used it to create admin accounts when the original account password has been lost. If you can get admin access you can then connect to VPN and re-add the device to the domain.

Reply

[-]

One_Stranger7794@reddit (OP)

I'm not sure to be honest, that was my one instruction for setting this system up. I will have that set up for next time, unfortunately the VPN requires the user to sign in, then sign in to the VPN at the moment... though looking at our tools what you've described is very possible

Reply

[-]

CrocodileWerewolf@reddit

That’s not quite true, you can use PowerShell to initiate a machine password reset from the machine which will restore trust without removing and re-adding it to the domain. Of course it still needs admin access to the machine and connectivity with the domain.

Reply

[-]

clubley2@reddit

Good point, I guess what I really should have said is there's no way to do it server side like they were asking.

Reply

[-]

rUnThEoN@reddit

How about taking a test device, redo your steps and test if you could do anything even with local access?

Reply

[-]

Salty1710@reddit

I don't bother with a users oobe here so I can't provide any advice there. A deployed machine in my environment has a couple different ways for me to access it both locally and remotely in case of a user profile problem.

Reply

[-]

superninjaman5000@reddit

This is why we always create local admin and user accounts on all our machines.

Reply

[-]

SilkBC_12345@reddit

>This is why we always create local admin and user accounts on all our machines. Exactly this. We always make sure ther eis a local admin account, just in case.

Reply

[-]

One_Stranger7794@reddit (OP)

well i did do that... i just killed it on the way out in a flash or brilliance...

Reply

[-]

nouartrash@reddit

![gif](giphy|9WXyFIDv2PyBq)

Reply

[-]

Normal_Compote7774@reddit

Lol this is why we're being replaced my MDM systems

Reply

[-]

One_Stranger7794@reddit (OP)

Well exactly. Because they are better than any person could be at doing it by hand.

Reply

[-]

barkingcat@reddit

I worked in IT / service desk for 10 years, and in the case where I fucked up, I don't bother the user - it's not their fault. I set up a new computer right now, properly, and overnight drop ship to them with the highest priority shipping possible. Once they have the computer and is able to do their work, it's my responsibility that the user ships back the first laptop. I don't have as much technical advice, but for a service experience, this is the only way to get them what they need to do their work.

Reply

[-]

Character-Sale-4098@reddit

I agree with everything except for the trust part. A lot of people in IT are shady fuckwads.

Reply

[-]

FartInA__Mitten@reddit

adding on, don’t be afraid of the “cost” of this mistake. shipping overnight is, what, $200? a mistake less than $500 is basically a rounding error for the business. it’s not your money. it’s not your finances. stop thinking about it on the scale you use for yourself. $200 is nothing in the grand picture of a business. when your mistakes start costing $20k or $200k, then the business cares a whole lot more.

Reply

[-]

survivalist_guy@reddit

I once cost the business about 30-40k by bungling internal DNS, but didn't realize it right away (about an hour outage, maybe a bit less). As soon as I realized it was my change I came clean, said "I think it's the DNS config I just did, someone want to look at it with me?". I think it's the only reason I didn't get canned. I was still pretty junior at the time too, so maybe I got a bit more leeway.

Reply

[-]

CARLEtheCamry@reddit

You probably don't need overnight in this case. Ground shipping with UPS or FedEx can usually get it 3 states away in a single day. Difference is that it's day-definite, not time definite so it will get there when it gets there and not by say 10:30AM like a priority overnight package, but it's a difference of like $120 vs $20 for ground shipping. We use FedEx at my work and looking at it now and to get it from PA to VA it's $150 to get it there by 10:00AM, $120 by noon, and $20 ground shipping at any time (which can be in the morning depending on the route.) We do centralized shipping for my company across the country, and yeah if the user is down we'll do priority but if it was a replacement and they can still use their old device, it's going ground. I tracked how much I saved the company for a year and worked that into my review and got a promotion a few years ago.

Reply

[-]

Wartz@reddit

If you are shipping workstations off prem you should be using Intune instead of AD to manage them.

Reply

[-]

One_Stranger7794@reddit (OP)

We should... the name of the game is hodgepodge around here though. I think I am personally going to push for Intune after this though

Reply

[-]

Wartz@reddit

It doesn’t cost anything extra if you already are invested in Microsoft infrastructure. Do you use m365 apps and licenses?

Reply

[-]

One_Stranger7794@reddit (OP)

Yes! We are MS licensed up the wazoo, so no idea why were still using pure AD in the first place!! Intune looks so much nicer to use

Reply

[-]

Wartz@reddit

If you’re a sysadmin what’s stopping you from starting the process to test it out and get some working infrastructure up?

Reply

[-]

One_Stranger7794@reddit (OP)

been here about 14 days now... trying to strike a balance between having no direction, being useful, not breaking anything (too late) while still feeling out the infrastructure here. I have senior responsibilities but junior authority I guess you could say, but then again I am new

Reply

[-]

Wartz@reddit

Spend 6 months reading up on Intune and playing in a sandbox, then you’ll be ready when you do start gaining more authority. You’ll also be able to design a plan of action that makes your leader team feel more comfortable. You can spin up sandbox Intune instance with the 365 developer trial to learn how it works.

Reply

[-]

One_Stranger7794@reddit (OP)

I am actually going to start on this today and make it a main personal project for any downtime here! Besides MS documentation, are there any sources/courses/certs you might recommend?

Reply

[-]

Wartz@reddit

Intune.training YouTube channel is invaluable for this. :-) If you want some official training, Johans professional services are fantastic. https://academy.viamonstra.com/

Reply

[-]

One_Stranger7794@reddit (OP)

thank you!

Reply

[-]

AspieEgg@reddit

That depends on the license. It comes with **Microsoft** 365 Business Premium, F1, F3, A1, E3 and E5, but it does not come with **Microsoft** 365 Business Basic, Business Standard, **Office** 365, F3, E1, E3, or E5. I learned that one the hard way when a client had Office 365 E5 and I told them "no problem, InTune comes with E5".

Reply

[-]

xBloodcrazed@reddit

This guy is a sys admin while I'm in help desk with a wealth more knowledge smh

Reply

[-]

Beforethef4all@reddit

I agree this is an entry level help desk fkup. However, instead of wasting your energy on comparisons why don't you work on your interview skills and go apply? Sitting spitefully on helpdesk for eternity isn't going to do you any good.

Reply

[-]

One_Stranger7794@reddit (OP)

No offense but being a sys admin is as much about people as it is the tech... you may know more, but you also may be in the right place professionally

Reply

[-]

gwatt21@reddit

Maybe your in help desk because of this type of response?

Reply

[-]

xBloodcrazed@reddit

Well if I was this rude to people I would not of lasted long in help desk. I was venting but going about it the wrong way.

Reply

[-]

us3rnam3ch3cksout@reddit

i was gonna call you out for being rude but i guess you acknowledge it. good for you.

Reply

[-]

esisenore@reddit

Roflmao . I didn’t see your response but I was going to type out your response word for word pretty much. Like dude never made a silly mistake before

Reply

[-]

paratora@reddit

We all make mistakes. We all learn from it. It doesn't make us better than the guy sitting next to us - or in your case, in the other office.

Reply

[-]

xBloodcrazed@reddit

You're not wrong and I apologize to op. I'm letting my own frustrations take hold.

Reply

[-]

paratora@reddit

If you feel like you have those fundamentals down though, you should consider asking for more sys admin tasks or available roles at your current place. Otherwise, beef up your resume with the things you do know/that tie into sys admin work and spin that into some interviews at a better position. Can't have the good minds withering away on helpdesk duty forever.

Reply

[-]

Beforethef4all@reddit

No offense but this is more of a helpdesk/service desk 101 thing.

Reply

[-]

Talk2theBoss@reddit

Looks like you have this one figured out. We changed how we did deployments during the pandemic, and for any new hires, we would have them do a remote session to cache credentials on their new device before shipping it out. Maybe something to try next time.

Reply

[-]

One_Stranger7794@reddit (OP)

That is a good idea, setting things up with them live. It seems like there is always a problem/something missed/something not working (or everything in this case) the way were currently doing it

Reply

[-]

iBeJoshhh@reddit

Seems like you need to ship a replacement with a return label.

Reply

[-]

One_Stranger7794@reddit (OP)

Done, currently eating that plate of humble pie

Reply

[-]

jocke92@reddit

Do you have start before logon in your vpn-client? Did you sign in the user before you sent the laptop?

Reply

[-]

One_Stranger7794@reddit (OP)

i did sign them in, but there account doesn't appear to be locally cached unfortunately. I have to look into that. Also we have our VPNs set up so that you have to sign in to them once logged in, this has prompted me to start exploring VPNs that connect at boot. Would make my whole departments job a lot easier

Reply

[-]

jocke92@reddit

There's both VPNs that connects a limited firewalled VPN that only gives access to limited services. It connects by certificate. And there's ones that require user interaction to connect the VPN. About the error message your user received. I don't recall if you can configure an expiry date on cached credentials. But that would not suit your environment either way since your VPN requires user to sign in prior to connection. How many days was it between you signing in and the user trying? You normally see that error of a computer has lost trust. Eg. The computer account has changed its password but not the domain controller or vice versa. Someone tried to join a computer with the same name or deleted the computer account. But since the computer don't have any connection to the domain/internal network it can not be any of that. What about the clock, since it could have ran out of battery?

Reply

[-]

One_Stranger7794@reddit (OP)

You know, the clock never occured to me until you said that! I didn't even check it, that could actually easily be it! It was in transit for about 5 days, I don't think that is long enough for it to break domain trust. Then again though, like you said maybe there was a password change that didn't replicate properly and caused a conflict when the system finally was back online

Reply

[-]

jocke92@reddit

Maybe the user had noticed if the clock was off. And if it's a brand new laptop then the battery should be good. I'd say it should survive 5 days in sleep. And it should go into deep sleep before it's totally empty. But I could have a bad battery from the start. If it's something with a password it must have happened exactly when you powered down the system. When it doesn't have contact with the domain it doesn't know what is happening on the domain. We'll see when the computer gets back. And we'll learn from that. What tweak has to be done or if it was just bad luck

Reply

[-]

One_Stranger7794@reddit (OP)

Well one thing about this is I learned a lot. Namely, no system shall ever pass my desk again without having a backdoor account and an unattended RMM being installed

Reply

[-]

exterminuss@reddit

i would go one Step further than your resolution: Always have a local Account on machines without Admin rights aswell, Password per Laptop, So you can have User login, try if their internet is actually working and if you have a remote app like teamviewer, Anydesk etc. have you remote in and then remote join that fucker or do whatever is needed

Reply

[-]

One_Stranger7794@reddit (OP)

Believe me, nothing is leaving this building anymore without domain join user account being tested twice and the same goes for the unattended RMM that is now going on everything

Reply

[-]

luke_woodside@reddit

It seems like to me somebody removed the computer from AD. Either that or the PC name for some reason did not save. Weird issue, the fact that message came up indicated the computer thinks it’s joined to a domain.

Reply

[-]

Mysterious_Yard3501@reddit

Why is Ontario the worst case?

Reply

[-]

SuggestionNo9323@reddit

If vpn was setup to always connect then it should be able to connect. However, since the backdoor account was nuked most admins are not comfy with walking a user remotely though how to hack the login screen via the safe boot recovery screen. So sending it back and redoing it would be the best solution.

Reply

[-]

One_Stranger7794@reddit (OP)

believe me, I definitely will be doing that!

Reply

[-]

theborgman1977@reddit

GPO do not work accross Remote connection. Come on MS give us a delayed application of GPOs. Also, they rarely work over VPN unless it is a site to site via a firewall. Also, the change user password and updating the cached credentials rarely works. MS says it does. Out of 1k deployments maybe 10 worked.

Reply

[-]

One_Stranger7794@reddit (OP)

Sigh... so even when everything goes right... maybe still not so much. Gotta love MS! Seriously, if they ever got it together a lot of people would probably be out of work

Reply

[-]

theborgman1977@reddit

We started to install via Intune. It has GPO like features. Remember most GPOs apply when the user first logs in. Before any VPN can activate. Also, if you are using folder redirection you have to run recursive GPO that applies device GPO vs User. We ended up switching most clients to one drive with a SaaS backup solution.

Reply

[-]

One_Stranger7794@reddit (OP)

I think we are going to start doing the same with Onedrive as we have a ton of MS licensing set up anyway, and we do a lot of re-direction for network drives that have been moved and moved again... it's a quiet nightmare

Reply

[-]

theborgman1977@reddit

Sharepoint is what we coverted network deive

Reply

[-]

Conscious-Calendar37@reddit

Sounds to me like you need to rethink your deployment strategy. If you are using Intune and have no local app authentication requirements then you should entra join using the pre-provision flow. Never ship a PC without some unattended remote control tools installed. Also, policies should ALWAYS be set prior to shipping out.

Reply

[-]

One_Stranger7794@reddit (OP)

We do no to rethink it, we actually don't have one really just a sort of 'get it working asap and ship it'. After this, I've asked and gotten the approval to create a comprehensive step by step guide I will put on our Sharepoint for future reference/hires. I'm looking at Entra join, we actually don't have many, if any, apps that are being locally authenticated, everything is licensed/authenticating through cloud. Yes... this whole thing needs to be built from the ground up, and automated as much as possible. I think at a bare minimum we should have an image we can just push to a client instead of sitting there with a bunch of isos and exes etc. clicking and installing

Reply

[-]

Conscious-Calendar37@reddit

Yeah if your apps are all Saas through intune then you 100% should go to Entra Joined. This flow will save your users so much time and pain and therefore make you the hero! [https://learn.microsoft.com/en-us/autopilot/pre-provision](https://learn.microsoft.com/en-us/autopilot/pre-provision)

Reply

[-]

One_Stranger7794@reddit (OP)

That is a very interesting and exciting read... thank you for the link. I am actually going to forward this to my manager right now.. it's going to take me about a month to get him to let me start even playing with Intune, but building a bedrock of information for him to convince him is definitely a good start. This community is really awesome btw, I thought I was definitely going to be crucified but was wiling to put up with it out of desperation haha

Reply

[-]

Conscious-Calendar37@reddit

We all screw up occasionally. It's nice to have a community that understands and shows support and offers potential solutions. Check your Microsoft 365 License to make sure you have access to Intune. [Feature Matrix | M365 Maps](https://m365maps.com/matrix.htm)

Reply

[-]

b456123789@reddit

Or have a backup local admin account where after being deployed & Confirmed all ok the temp admin account can then be delegated.

Reply

[-]

dimitrioo1@reddit

running the following should fix the domain trust relationship issue: Reset-ComputerMachinePassword -server AWS-DC01 -credential yourdomain.local\admin-user-acct E.G. running with domain admin account Reset-ComputerMachinePassword -server AWS-DC01 -credential VincentBenjamin.local\dimitrioo E.G. without domain account - using local admin or workgroup creds: Reset-ComputerMachinePassword -server AWS-DC01 -credential DESKTOP-ABC0123\LocalAdmin

Reply

[-]

One_Stranger7794@reddit (OP)

Thank you! Unfortunately the DC can't connect to their computer and vice versa, despite them knowing about each other. But I've saved these for my reference for later

Reply

[-]

dimitrioo1@reddit

Are you using a vpn?

Reply

[-]

Impossible_IT@reddit

Did you join it to the domain? Sounds like they can't login because their domain profile wasn't setup initially.

Reply

[-]

sltyler1@reddit

This. OP, did you sign in with any domain profile? If so give them the password and then reset that account after you get everything squared.

Reply

[-]

One_Stranger7794@reddit (OP)

It was domain joined and tested before it was shipped

Reply

[-]

sltyler1@reddit

But did you sign in with a domain account?

Reply

[-]

purplemonkeymad@reddit

> “the security database on the server does not have a computer account for this workstation trust relationship” Have you checked the AD Recycle bin for the computer account. It looks like the machine was joined, but it was either deleted from AD or ad was reverted to a point before the join. It can also happen if you have replication issues between your domain controllers, it was joined on one side of the issue, but user is authenticated to the other.

Reply

[-]

One_Stranger7794@reddit (OP)

We don't have AD recycle bin enabled for some reason... I'm going to have to ask about that. Seems like it's disabled for no reason?

Reply

[-]

purplemonkeymad@reddit

Maybe it was never enabled, it was not always a thing. I want to say 2008r2 or 2012 level.

Reply

[-]

One_Stranger7794@reddit (OP)

Ah I think that's most likely the case. In any event I will be enabling it, thanks

Reply

[-]

Humble-Plankton2217@reddit

Can the user connect to wifi and then the VPN pre-logon? Can you send them a different laptop and have them ship this one back?

Reply

[-]

One_Stranger7794@reddit (OP)

Ive asked them to ship it back, unfortunately the VPN can only be accessed after logon

Reply

[-]

J00lyK0ng@reddit

All I can say is you will look back on this and laugh. We all make mistakes, some more serious than others, but in the scheme of things, this is a minor inconvenience at best. I've had issues with domain controller demotions which knock out sign in capabilities, app upgrade breaking things and users not reporting it for months and many other things. These are all learning opportunities, to help you get better and gain a more critical eye. At least this only affected a single user and shipping a replacement isn't the end of the world. They don't pay us to know everything. It just so happens IT gets shat on more when they make mistakes, but HR and other depts going rogue and breaking their own systems goes unmentioned and is no problem. No sweat!

Reply

[-]

J00lyK0ng@reddit

All I can say is you will look back on this and laugh. We all make mistakes, some more serious than others, but in the scheme of things, this is a minor inconvenience at best. I've had issues with domain controller demotions which knock out sign in capabilities, app upgrade breaking things and users not reporting it for months and many other things. These are all learning opportunities, to help you get better and gain a more critical eye. At least this only affected a single user and shipping a replacement isn't the end of the world. They don't pay us to know everything. It just so happens IT gets shat on more when they make mistakes, but HR and other depts going rogue and breaking their own systems goes unmentioned and is no problem. No sweat!

Reply

[-]

Moist_Lawyer1645@reddit

You should never leave a device without a local admin. The only options you have now are either: - Get the device posted back and ask for help next time (Easier and simpler) - Get the end user to reimage while guiding him on connecting to the domain, then using whatever mdm or gpos to push what's needed. - Make sure they have line of sight to the domain controller from the remote location.

Reply

[-]

One_Stranger7794@reddit (OP)

I'm getting in posted back, I would note want to walk through re-imaging with this user to be honest.

Reply

[-]

dimitrioo1@reddit

DM me

Reply

[-]

mavrc@reddit

there's a lot of people in here giving good technical advice so let me jump in here as an Old and say that this is embarrassing but ... it will not be your last time. And that's OK. I started sysadmin'ing in the 90s and the last time I made a fuckup that embarrassed *me* was about two weeks ago, when I deployed a cluster system with the wrong image despite triple-checking the image name, and got to spend the day undoing what I did. I was, in fact, so adamant that I got it right that I pulled all the action logs and... proved I did it wrong. Whoops. I would wager everyone here has stories like this pretty regularly- we all fuck shit up from time to time despite our best intentions. Even if you have to pull this system back or ship a replacement, this too shall pass.

Reply

[-]

CFH75@reddit

is there any local account on the machine? If so walk the user through logging into it. Get vpn working then join it to domain. Then do whatever else you need. if no local account your fucked.

Reply

[-]

One_Stranger7794@reddit (OP)

I think maybe their account should be cached locally I will ask them to disconnect from everything and try that

Reply

[-]

CFH75@reddit

Good call.

Reply

[-]

00001000U@reddit

I'd just swallow your pride, admit your fault and ask your boss what his next steps would be. You fucked up, everyone does it. Just try not to do it again exactly like this. ¯\\\_(ツ)\_/¯

Reply

[-]

Simmery@reddit

And the fuckup is one single laptop. If that's the worst mistake you ever make as a sysadmin, you'll be extremely lucky.

Reply

[-]

KnowledgeTransfer23@reddit

The fuckup is the round trip post for a laptop. The user can still work on the backup machine there, and OP can reimage the laptop when it gets sent back. OP, you're good. Just show humility and ask for help, and express that you understand your mistake, are taking notes, have learned even more cool solutions in your research to solve this, and it won't happen again, if you can help it! No boss or manager should dislike that.

Reply

[-]

sysadmin189@reddit

There is the context. I've fucked up WAY bigger than that. lol

Reply

[-]

NoConundrum@reddit

Cries in accidentally deploying a firewall rule that stopped DHCP...

Reply

[-]

DawgsGonEat@reddit

Sameeee lol

Reply

[-]

everettmarm@reddit

Right. If you’d done this via GPO to 12,000 PCs I’d feel for you.

Reply

[-]

mdotshell@reddit

To err is to be human, but to really fuck things up is to automate

Reply

[-]

Palmovnik@reddit

Yea next time forget to send it with a charger

Reply

[-]

kodakhloedex@reddit

I had that happen a few times whenever we rolled out LAPS. For whatever reason rebooting the computer twice made fixed the issue.

Reply

[-]

disposeable1200@reddit

This is not related to LAPS. I would be surprised if OP is even using LAPS based on this shit show.

Reply

[-]

kodakhloedex@reddit

I mean, they specifically mentioned they setup LAPS, and that's the same error that our environment got right after implementing LAPS as well.

Reply

[-]

disposeable1200@reddit

It's not LAPS though. It's domain trust. LAPS is a local account so wouldn't do this.

Reply

[-]

One_Stranger7794@reddit (OP)

LAPS is local but does it need to connect to the domain to authenticate, ie it needs a vpn connection first

Reply

[-]

disposeable1200@reddit

Don't try and explain to me now laps works when you can't even get a device to login remotely lol You should be just joining to Entra and using Windows LAPS anyway much easier.

Reply

[-]

phantom_eight@reddit

I don't think your screwed up. Seems obvious there isn't a defined process for setting up a laptop and shipping it out to an employee. Or.... if there is... it's bad/incomplete OR you didn't follow it OR it didn't take into account the changes made after you sent the laptop. Only one of these options is bad.... the other two options are in the category of "shit happens" and if anyone can't see that....... fuck 'em Just ship out another laptop and follow your deployment procedures if they are established. Tell them to return the other... no biggie.

Reply

[-]

Alex_2259@reddit

Easily solved and common blunder, you aren't losing much face. Explain to the user that this issue requires access to the company network, and have your logistics center send a label and a box if he got rid of the one you sent. But send in a hot spare so he doesn't have to serve the double return whammy if possible. Explain this situation to your boss and also your solution and move on.

Reply

[-]

One_Stranger7794@reddit (OP)

Thanks for the advice, I think I'm going to have to go this way. Lucky for me, the user already has a spare loaded up they are using now. Not looking forward to that call sigh... but hey I guess pain is the best teacher

Reply

[-]

Alex_2259@reddit

Honestly man this is a really small blunder. You aren't actually working if you're not making some mistakes in my opinion. Explaining to the user professionally that there was an error during staging and I am sure they'll be fine with it. If your employer is punitive against small mistakes, than a long term goal would be to find a new job. I realize that's the Reddit answer to everything, but it's no way to live life under constant anxiety that you will be demeaned over such small mistakes. Usually it's a matter of simply fixing it in short order and moving on. I have taken down production lines before, of course didn't repeat the root mistake but things happen and no one can possibly work perfectly.

Reply

[-]

Right_Pack4693@reddit

Freshie SysAdmin roles must be the scariest thing, I swear. My company has an IT department of 3 people (a Software manager, my SysAdmin manager and me, a zero-exp-first-IT-job freshie) servicing 200+ endpoints, so yeah, we are the helpdesk too haha so far I've been busy on-boarding and off-boarding users, and deploying updates/patches, and now I'm responsible for setting up new laptops. I'm deathly afraid of messing up someone's computer halfway across the ocean in Japan or Korea. I keep wondering if I should have started as Helpdesk but my friends say since I'm already here might as well, and helpdesk pays 1/3 less.

Reply

[-]

One_Stranger7794@reddit (OP)

Your company sounds very similar to mine, there are 3 of us managing about 500+ endpoints, the network, hardware, software everything. It's a little frustrating, because I was brought in to ease some of the pressure on IT, but because everyone is busy already there is no teaching here, the idea is 'if you were smart enough to be hired you should be smart enough to figure out what you should be doing and how to do it' Lucky for me this was minor(ish) I guess

Reply

[-]

Obvious-Water569@reddit

There are a few rookie mistakes here but don't worry; you are still a rookie. The message they're getting suggests that the computer record has been deleted from AD or the computer name has been changed without re-registering with the domain, not that it can't talk to AD. If there was no connection to AD, the message would be something like "there are no servers available to process the logon" or "the trust relationship failed". Never put computers out in the wild without local admin account or at least some endpoint management tool as a backdoor in case of domain trust relationship issues like this. Sending the computer on its way before LAPS was applied was a booboo. The cleanest way to resolve this is to have the machine shipped back and re-registered with the domain unfortinately. Take this learning experience as a win.

Reply

[-]

One_Stranger7794@reddit (OP)

Thanks, tough pill to swallow but so be it

Reply

[-]

checkpoint404@reddit

Why the fuck is a sysadmin setting up a laptop lol this is help desk shit and even if you deployed LAPS when the laptop was in transit that wouldn’t break trust. LAPS if configured correctly disables all local admins other than what is specified, etc. So include LA ground, DA, etc. A DA logging into a workstation where I work is a literal last resort and shouldn’t be happening, we don’t need our credentials being around the domain. Setup descriptors and move on. It’s a good system and the native application is a step forward. Get remote access to the machine, establish a VPN connection and fix your mistake this should be simple work for a SA in my opinion.

Reply

[-]

Final_Environment188@reddit

..sysadmin do help desk roles… it’s part of sysadmin roles .. help desk is technically sysadmins

Reply

[-]

checkpoint404@reddit

Whatever you say kid…I’ve been an SA for over a decade and I’m not imaging machines…not doing help desk stuff…

Reply

[-]

Final_Environment188@reddit

Well then maybe it’s where you live because that’s common where I am , and the rest of people here .

Reply

[-]

One_Stranger7794@reddit (OP)

THANK YOU for all the advice! Lots of great ideas, and more than that useful professional tips to carry into the future to make sure stuff like this doesn't happen again. PS: It's also really interesting (and frightening) to see the range of knowledge, personalities and troubleshooting directions people bring to the conversation.

Reply

[-]

jkdjeff@reddit

Just image and ship a new device. None of the possible options to try to resolve this remotely are good ones. Time management is an important skill.

Reply

[-]

One_Stranger7794@reddit (OP)

Ah ok thanks that was my instinct. I will have to make the call and explain that the brand new laptop I just shipped the user had to be shipped right back ugh... but nothing else (effective or honest) can be done I guess. Also fyi the user does have an alternate system they can use in the meantime, them returning their new system in this rare case doesn't equal any downtime for them... I'm just realizing now how lucky that is

Reply

[-]

benderunit9000@reddit

Don't sweat it too much. Important part is learning from it.

Reply

[-]

p65ils@reddit

Very much this. When you eventually get the first one back, work the bugs out of your process by taking it home and simulating what the remote users would be doing.

Reply

[-]

thrashmasta5@reddit

Sounds like a help desk problem not sysadmin

Reply

[-]

One_Stranger7794@reddit (OP)

Here its all the same thing

Reply

[-]

Jwatts1113@reddit

Why? You drew the attention of the Elder Gods of Computing, and they are all about chaos. It's easy enough to fix, but you have to have a connection back to the domain. I'd say it's time to rip the band aid of shame off and have it shipped back. The longer you wait, the worse it's going to hurt.

Reply

[-]

One_Stranger7794@reddit (OP)

yeah I'm about to call them... let the bandaid ripping commence!

Reply

[-]

djgizmo@reddit

Lulz. You made a mistake. Be back big man and OWN IT. You didn’t take the entire network. You didn’t crash the server. You didn’t stop all of sales from functioning. Prep another laptop, overnight it. Don’t delete local admin. Follow your existing SOPs. Talk to your boss about how you can do better.

Reply

[-]

pokemon666999@reddit

If it has RMM software, get it connected to WiFi and some RMM’s can issue powershell/CMD commands in the background. Create a new local admin account and work it out through that.

Reply

[-]

JWK3@reddit

and if they don't have RMM software, consider this situation a lesson learned, and look into getting some remote management tooling that has an agent/local admin on the machine. Being able to push a script or small config change over the internet and report on your estate is so much more powerful than standard GPOs and Remote Assist alone.

Reply

[-]

Pronces@reddit

The laptop should have QuickAssist by default.

Reply

[-]

One_Stranger7794@reddit (OP)

It would, but unfortunately they need to log in to do thta

Reply

[-]

Pronces@reddit

Oh yeah lol. Idk why u would delete local admin man, lesson learned I guess

Reply

[-]

Hotshot55@reddit

> consider this situation a lesson learned I think it's considered a lesson learned either way.

Reply

[-]

One_Stranger7794@reddit (OP)

So looking into it now.. we do, but it's only enabled on certain systems where it was deemed 'necessary', although it seems like a button push more or less to push out the utility to everything on the domain so in the future this will be the case. I'm going to bring this up to my manager next time I see him thank you

Reply

[-]

angrysysadminisangry@reddit

Worst case Ontario... A man of culture, I see.

Reply

[-]

One_Stranger7794@reddit (OP)

![gif](giphy|xtIFv9wWZD5gQ|downsized)

Reply

[-]

Dolphin1998@reddit

For a second I thought I was in r/ShittySysadmin

Reply

[-]

LeTrolleur@reddit

no kidding, the second I read that they deleted local admin I facepalmed.

Reply

[-]

One_Stranger7794@reddit (OP)

thanks

Reply

[-]

sitesurfer253@reddit

I'm sure it will be on there soon if not already

Reply

[-]

CopperKing71@reddit

The fact that you’re getting an error about a missing trust relationship indicates you have connectivity to the domain. If you were offline, you would only be able to logon with a cached credential or a local user account. You wouldn’t see the same error. That said, I didn’t think you could delete an account when it’s the currently logged on account. So… which account did you use to delete the local admin account? That account may be cached. Pull the system off the network (no connectivity to the domain) and see if you can log on with that cached credential. Unless, that is, you completely disable cached logins….

Reply

[-]

One_Stranger7794@reddit (OP)

I actually should disable that in the future, but as of now have not so that could work!

Reply

[-]

Barking_Mad90@reddit

Just send out a new one asap and say config issue which requires rebuild. Bring the old in and flash. Move on and take it as a learning exercise. Hopefully your boss is not petty.

Reply

[-]

One_Stranger7794@reddit (OP)

Boss is very hands off and not petty, honestly after reading all the comments and experiences from people much smarter than me in this thread, I think what is on the line the most is my professional ego... which I should not pay much credence to because I'm still making basic mistakes. I admit, I am probably going to use the 'config issue' explanation.. which I guess is technically the truth

Reply

[-]

MartianMH_@reddit

When you say you setup the user account, did you login with the account of the user? If yes then the user should at least be able to login with the cached credebtials, they just have to disconnect it from the VPN. Is the user Admin on the machine or did you at some point login with your admin account?

Reply

[-]

MartianMH_@reddit

Also, check in the AD recycle bin if there is maybe the computer object with the correct computername

Reply

[-]

One_Stranger7794@reddit (OP)

That did not occur to me I will do that now thanks. Just checked, nothing in there I will keep that in mind for the future though

Reply

[-]

HorseMasksOnly@reddit

I Second this. Have the user try to login while disconnected from any internet source and see if the computer will still take the cached credentials.

Reply

[-]

One_Stranger7794@reddit (OP)

I will try this thank you! Last ditch attempt before asking them to post it back

Reply

[-]

One_Stranger7794@reddit (OP)

I logged in with my admin account unfortunately

Reply

[-]

ManWithoutUsername@reddit

The best thing you can do is send another computer and investigate what up when he return the old one The price of send a package worth compared for the price of employeer day lost... and your time trying deal with a remote problem.

Reply

[-]

One_Stranger7794@reddit (OP)

Oh they do, I'm just being a baby I guess as this is my first mistake.

Reply

[-]

looctonmi@reddit

I would check the LAPS GPO to see if a separate local admin account was configured, just in case the policies went out before you shipped it. Something here is really strange because computers shouldn’t fall off domain that quickly. Tip, when deploying computers, check its status in your MDM before packing it up for shipment.

Reply

[-]

CrazedTechWizard@reddit

I mean, all of these ideas are great and all but like...some of them seem way more work intensive than just configuring a new laptop, over-nighting it, and going "Hey boss, I messed up but I've already fixed it." Likely not worth the time to try and walk the user through anything. Most of the people I work with would be fine with a "Hey, we implemented a new process between the time I shipped your laptop and the time it arrived and I need to over-night you a new one. My apologies for the inconvenience."

Reply

[-]

Final_Environment188@reddit

Why didn’t you delay the shipment knowing GP would be pushed? Now they probably have to send it back or set it up remotely

Reply

[-]

Erenik19@reddit

What about remote access ? Any XDR where you can use PS as system ?

Reply

[-]

DoubleTGaming2k@reddit

Why delete the local admin? I usually sign in as the user first and then just reboot the machine, the local admin disappears from the bottom left corner on the login screen then and it defaults to the user. Either way they can just hit Other.. always keep a back door into a machine, especially one that can be accessed on the login screen

Reply

[-]

j0mbie@reddit

Got a back door into the system, such as through an RMM? Just use that to fix it. You can create a new local admin account via command line, powershell, scripts, etc. and then go from there. No back door? Think you can walk the user through one of the old tricks to get into a system without an admin account? Do that. You'll probably want them to video chat you with a camera pointed at the screen. You might need to make them the proper USB drive they'll likely need and overnight it to them. Or, use something like ImmyBot or InTune or (the windows local version who's name I can't remember) to just re-deploy it, remotely. Lastly, they're a few hours away? Hop in the car. We've all been in that situation before in our careers. Load up some podcasts and your beverage of choice. You can also spend the time thinking about ways to prevent this in the future :)

Reply

[-]

EngineeringNew9560@reddit

If it has a different hostname, it sounds like someone has wiped it. It won't reset its self. Get them to send it back.

Reply

[-]

S1ckR1ckOne@reddit

I got this Error when the PC was in a Not completed rename state. Rebooting the PC solved the error. There is also a PS command to reset the security Database. Sometimes it helps. But you probably cant Access a shell If you are Out of the oobe process. Only Thing i could think of would be the utilman.exe cmd.exe Swap. If you have bitlocker activated this wont work.

Reply

[-]

bendem@reddit

First month and no one checked what you did before shipping? It's your managers problem, your not at fault for not knowing.

Reply

[-]

boli99@reddit

>a whole new computer name (self assigned) is it the original self-assigned name it had when you built it? maybe user 'helpfully' did a system restore? and is helpfully not telling you about it? maybe? ...if they did that - then it *might* have restored the original admin account you used to set it up. its a bit of a long shot, but i cant think of many other ways for the computer to get renamed.

Reply

[-]

BennieTheBook@reddit

When you added the users account, you logged into the computer as the user while connected to the domain? If yes, the user should be able to login with that password you used.

Reply

[-]

watCryptide@reddit

Did you logon with something other than the local account? If so unplug the machine from any network connection, cabled or WiFi and login with the caches credentials

Reply

[-]

sysadmin-84499@reddit

User is trying to login when no domain is available. They have no physical connection to the domain.

Reply

[-]

mallet17@reddit

No way around this.. get the laptop back, load the Windows ISO with USB boot to do the local administrator password reset (Google will give lots of articles about this) and make sure you have LAPS do its thing after you rejoin to domain.

Reply

[-]

BlairBuoyant@reddit

Hell. You need that device on a vlan that can join to solve the device trouble. Otherwise, your job is triage of what you can save until you can operate. Knowing nothing of your infrastructure, do you have a secure gateway to remote access off network? Are you able to join domain after establishing vpn? (I found out yes I could in my case) Can you provide a suitable workaround for staff that won’t compromise your expectation or their demands beyond reason? Whatever you do, don’t hide it, but how you disclose it come next business morning depends on how all stakeholders manage until then.

Reply

[-]

hounds_of_pluto@reddit

Can you get to a remote terminal? Your remote access tool or anti virus may have this feature. If so, you can use net user to enable the built in administrator account and troubleshoot the connection. Also if you can get to poweshell (assuming you have connectivity to the dc) you can use test-computersecurechannel —repair -credentials (get-credentials) to repair the ad connection.

Reply

[-]

RS503@reddit

You said that you "added the users account". That sounds like a local account, then? That won't require domain connectivity. Just have them enter that user name as .\username. If it's a local account, that should get them in. Once they're in, you can deal with getting LAPS and stuff working.

Reply

[-]

phileat@reddit

Send a new laptop. Shit happens.

Reply

[-]

TopherBlake@reddit

You are a new employee and it's one laptop. I would image a new one and send it off as soon as possible after explaining the issue. It's just a learning experience until you lie about it or are the only one who knows the issue

Reply

[-]

NativeNatured@reddit

Zoho assist. Create local admin account. Install agents.

Reply

[-]

ItsBmud@reddit

You can always install Hirens on a usb and use the lazesoft password recovery to reset the default administrator account and then login with the local admin on the computer to be able to do what you need to do, Hirens has saved me 100s of times whenever I can’t get connected to a computer and for whatever reason the local admin password is different then what we have documented

Reply

[-]

MedicalIntention2852@reddit

Talk the user through resetting the computer and go through OOBE. Once back in Windows have them install Teamviewer Host and remote in.

Reply

[-]

gwatt21@reddit

Or just use quick assist. Built into windows

Reply

[-]

agoia@reddit

Yup, when you deleted that local admin, you... kinda fucked it. Might as well prep a replacement to cross-ship while they mail that one back.

Reply

[-]

Shikyo@reddit

There is some solid advice here. But also... Is this sysadmin related? This would be work for my user support team.

Reply

[-]

ipokethemonfast@reddit

Add the computer to the domain. Either take it to site or connect over VPN

Reply

[-]

MrExCEO@reddit

Create a temporary site to site vpn as worse case. Use an external firewall as client site. Is this over the top? Maybe. Will it work, yes.

Reply

[-]

Ok_Exchange_9646@reddit

You create the domain accounts, security groups, domain admins, etc not locally but on the domain controller.

Reply

[-]

Inf1n1teSn1peR@reddit

Okay a couple of things here it is best practice not to remove the local admin from the machine for these reason. I would suggest you use a name that is not admin or administrator for this purpose. Second thing is if you did create the user profile on the machine always test by logging in at least once as this will cache the credentials in the device so that the user can log in even if the domain controller is not available at that time. I'm not sure how a machine would just delete it's name or domain information as this information is stored in a place that only admins can access. Now you could try to walk the user through the process of hacking into the machine by replacing the onscreen keyboard with cmd and creating a admin account that way, but that process is messy and hard for a inexperienced user. Best way would probably be to bit the bullet and have them ship that machine back while you prep and ship a new one to the user to avoid extra down time.

Reply

[-]

Distinct-War-3020@reddit

Walk the user through a factory reset and creating a new account. Fix it remotely.

Reply

[-]

laincold@reddit

Veeam recovery media. It's nice tool that can enable default "administrator" account. There are other ways but this is one of the easier. Not gonna hide the f up tho...

Reply

[-]

pittyh@reddit

Yep, say you stuffed up, and get them to send it back.

Reply

[-]

SevTheNiceGuy@reddit

send them another computer and have them ship the broken one back so you can reimage it.

Reply

[-]

Which_Factor_2322@reddit

So iv been out of the industry for a minute but laps is through group policy so wouldn't you use gpupdate with PsExec from Sysinternals toolset Just replace Computername with the actual hostname of computer?

Reply

[-]

netsysllc@reddit

it is remote and not vpn connected

Reply

[-]

pittyh@reddit

Can the user get internet at all? Can the user install something like teamviewer?

Reply

[-]

CartographerSad8007@reddit

Is this user connecting back using VPN?

Reply

[-]

One_Stranger7794@reddit (OP)

they would be yes, but they can't log in to enter their credentials

Reply

[-]

disposeable1200@reddit

So uh Then it can't see the domain controllers So the user can't logon Wow. Basic 101 of logging in remote users . Do you not have a standard build process? Is this the first remote user your company has ever onboarded? No Entra ID or Autopilot? So much that can be done differently, and so many things wrong with this. Who supervises you and tells you how to do things?

Reply

[-]

LostRams@reddit

Relax lol, what’re you gonna do, complain to their supervisor? It’s a learning lesson.

Reply

[-]

osxdude@reddit

you don't have a fallback manual directory-based VPN login?

Reply

[-]

disposeable1200@reddit

New user first logon... Needs to be machine based VPN usually

Reply

[-]

osxdude@reddit

My place of work has a backup 30 min limited VPN using straight AD creds just for this reason (i.e. machine based even fails) (or…they don’t use machine based at all? I’m not on the team lol)

Reply

[-]

disposeable1200@reddit

That seems insecure. All VPNs should be machine specific certificate based with a compliance check, or user driven with MFA. Or hell, come over to 2020 and use Entra Join with Autopilot. I will never recommend joining machines on premises unless there's some incredibly large barrier or problem - and even then it's usually worth fixing that first.

Reply

[-]

osxdude@reddit

we live in hell what can I say

Reply

[-]

disposeable1200@reddit

:( sorry You can always get a different job if it's still a shit show after repeated attempts to educate management

Reply

[-]

tkecherson@reddit

I think the issue is can't log in to the computer to connect the VPN

Reply

[-]

underling@reddit

.\\useryousetup use the local user cache you set up for them to log in, don't reference the domain. So if im underling@corpo.com use .\\underling

Reply

[-]

National_Suspect_494@reddit

This is the answer, can at least get the user working off the local account you set up on the laptop

Reply

[-]

MeasurementThin5346@reddit

You created Do you have access to the .\Administrator passwords?

Reply

[-]

pmd006@reddit

>I think this was because I used a local admin account to set it up, added the users account, and then deleted the local admin account so it wouldn't appear on the log in screen. That doesn't sound like the behavior of a domain joined PC. That sounds like you created a local user account for them and never joined the PC to the domain at all.

Reply

[-]

KaitRaven@reddit

If it wasn't domain joined, it wouldn't complain about the trust relationship with the DC

Reply

[-]

Rigenz@reddit

I have gotten around this: “the security database on the server does not have a computer account for this workstation trust relationship” By making sure the PC isnt connected to internet, neither wifi or hard wired. I was able to get into that user account then have them connect it back to internet so I could remote in

Reply

[-]

pentangleit@reddit

If your user hasn’t logged in to that other laptop themselves yet then they won’t be able to do so without a domain present. Cached credentials won’t be present. If your user has the scope to create a site-to-site VPN on their router to en you could always create a tunnel and ask the user to specify DNS as a domain controller.

Reply

[-]

Jeremy_Zaretski@reddit

> I think this was because I used a local admin account to set it up, added the users account, and then deleted the local admin account so it wouldn't appear on the log in screen. > [...] Is there anyway way he can log in with any account at all on the laptop? You annihilated all local administrator accounts and the computer is unable authenticate any network account credentials. Without the ability to elevate your permissions on the computer, fixing anything will be rather difficult because nearly all important things require administrative access. Check your server logs and see if the computer is contacting them. The fix, if any, would have to be done solely from the server side, otherwise you'll probably have to get the computer shipped back to you.

Reply

[-]

Eightfold876@reddit

Is the user connected to their home network? Sounds like they just didn't connect their laptop to the internet and expected it to work like normal.

Reply

[-]

MartianMH_@reddit

The message he describes only appears with connection to the DC

Reply

[-]

orev@reddit

Being connected to a home network will have no bearing on whether the computer can connect to a corporate domain controller that's behind a VPN.

Reply

[-]

hasthisusernamegone@reddit

There's zero chance of it connecting to the VPN without a network of some sort.

Reply

[-]

Hexnite657@reddit

It could spontaneously become sentient and connect itself. Never say never.

Reply

[-]

Genoblade1394@reddit

We all fuck up, talk to your boss, otherwise ship a replacement laptop or hire task rabbit to go to the location and be your eyes and ears, maybe ship a boot disk to the user first, FaceTime is your friend.

Reply

[-]

Stokehall@reddit

Is bitlocker enabled? If so can you access the bitlocker encryption key? If you can disable bitlocker, then try the following: Post user a flash drive with any windows install on it (preferably the one you installed) Talk then through booting into the flash drive Tell them to press shift + F10 Get them to enter the following: cd /d D: If the command returns The system cannot find the drive specified, then that letter isn't right; try C and continue up the alphabet. Once you find the right drive, you'll want to change the directory again using the cd command. Type this line to access the System32 folder: cd Windows\System32 move d:\windows\system32\utilman.exe d:\windows\system32\utilman.exe.bak copy d:\windows\system32\cmd.exe d:\windows\system32\utilman.exe Restart the machine On login get them to hit the utility manager icon and it should open CMD get them to type: net user administrator /active:yes Then you are in. And you can reverse all these bits.

Reply

[-]

kerubi@reddit

Deleting the local admin was a mistake, but it did not undo your changes. To login to domain you need line of sight to DC, this should be obvious. Or you can login locally with cached credentials, but first you would need line of sight to cache the credentials by logging in.

Reply

[-]

AustinGroovy@reddit

Re-image.

Reply

[-]

CheeseLife840@reddit

You know if the user never connects the device to their WiFi they also get that error.

Reply

[-]

cooncheese_@reddit

Yeah look, for what it's worth sure it sounds like you went around this in a stupid round about way. But, you should be able to fix all this via the usage of RMM / remote access tools. If those aren't deployed on a computer you sent hours away, then the organization needs to get their shit together.

Reply

[-]

lucky77713@reddit

Honestly can't you just make sure it's not connected to the internet at all and it will still prompt you the login to the domain? Normally if I have this and I have the internet cable plugged in it won't log in. But if I unplug the cable it still will. Usually only applies if that user has already logged in though at some point.

Reply

[-]

Realming_Grape@reddit

Just remove from domain and then rejoin

Reply

[-]

xBloodcrazed@reddit

Tell your user to disconnect from wifi and then try logging in I've had it happen where a user was able to use their PC as long as no VPN was connected

Reply