Can't Login After Domain to Workgroup Change in Windows

It's easy to leave domain on the Windows workstation, but it's hard to get back if it turns out that none of local administrator accounts were functional. Also you can run into similar issues if you mistype the domain name when rejoining the domain. Fortunately, this situation is easily fixable using Emergency Boot CD.

This article explains how to restore computer membership in the domain, how to rejoin computer back to the domain, if you can't login after domain to workgroup change in Windows.

Contents

1. Description of the problem

After changing from Domain to Workgroup via Control Panel -> System or My Computer -> Properties your computer no longer allows you to log on.

Domain to Workgroup Change in Windows

But leaving the domain was a wrong move: all local accounts are locked, therefore there's no way to rejoin the domain.

2. How to fix the problem

You may unlock local Administrator profile and reset local Administrator password with Emergency Boot CD. However, in this case your old profile of domain user will be lost, including Desktop shortcuts, My Documents, application settings in HKEY_CURRENT_USER registry hive, browser favorites list, stored sessions and passwords.

There's a way to gain access to the computer and preserve your profile of domain user: rejoin the old domain offline of Windows, by editing Registry directly.

Emergency Boot CD is a powerful toolset to fix unbootable computers and recover data from them. One of EBCD tools is an offline Registry Editor, which can make changes to the Windows Registry from the outside of Windows.

There is a set of registry values that must be concordantly changed in order to switch from Workgroup to Domain or vice versa.

3. Updating registry: TCP/IP and NetBIOS parameters

Registry values which identify domain membership of the NT workstation are stored under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key:

Value Name and Type Meaning
Hostname:REG_SZ Current computer name in domain
Domain:REG_SZ Current domain name
NV Hostname:REG_SZ New value of computer name in domain (will be applied when computer is restarted)
NV Domain:REG_SZ New value of domain name (will be applied when computer is restarted)

Also NetBIOS computer name is stored in registry values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName:REG_SZ and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName:REG_SZ. If you change TCP/IP hostname, then it's recommended to update NetBIOS name too.

4. Updating registry: LSA policy database

LSA is an acronym for Local Security Authority. LSA Policy Database must be edited manually to rejoin NT domain. LSA Policy Database is stored under HKEY_LOCAL_MACHINE\SECURITY\Policy key. This key is not readable from Windows regedit.exe from local administrator account, but it is readable and writeable from SYSTEM account and thus EBCD registry editor can read and write it too:

Subkey name, value name and type Meaning
PolPrDmN\(default):REG_NONE Primary Domain Name or Workgroup Name (binary-encoded and length-prefixed)
PolPrDmS\(default):REG_NONE Primary Domain SID (empty if computer is a part of workgroup)
PolAcDmN\(default):REG_NONE Account Domain Name: Computer Name on Workstation, Domain Name on Domain Controller (binary-encoded and length-prefixed)
PolAcDmS\(default):REG_NONE Account Domain SID (Machine SID)

In order to rejoin the domain manually, please copy PolAcDmN + PolAcDmS values from Domain Controller to PolPrDmN + PolPrDmS values on the Workstation.

5. If you don't have raw access to Domain Controller registry

If you don't have raw access to Domain Controller registry, you can extract cached domain SID from user account list stored in local registry. Look at the registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-*. Find the user with appropriate ProfileImagePath value and copy his or her Sid value.

Example user SID:
01:05:00:00:00:00:00:05:15:00:00:00:D5:CB:5C:58:43:17:0A:32:07:E5:3B:2B:EB:03:00:00
Domain SID derived from example user SID (last 4 bytes dropped):
01:05:00:00:00:00:00:05:15:00:00:00:D5:CB:5C:58:43:17:0A:32:07:E5:3B:2B


Binary-encoded and length-prefixed domain name or workgroup name can be constructed as shown below:

  1. Prepare workgroup or domain name in ASCII format: WRKPLUS
  2. Convert to hex: 57:52:4B:50:4C:55:53
  3. Convert to UTF-16LE by appending 00 after each byte: 57:00:52:00:4B:00:50:00:4C:00:55:00:53:00
  4. Append 00:00 (UTF-16 NUL) and prepend 08:00:00:00 constant: 08:00:00:00:57:00:52:00:4B:00:50:00:4C:00:55:00:53:00:00:00
  5. Prepend 16-bit values 2N and 2N+2, where N is a length of ASCII string on the step 1; both values in hex form and little endian byte order: 0E:00:10:00:08:00:00:00:57:00:52:00:4B:00:50:00:4C:00:55:00:53:00:00:00


You can also convert workgroup/domain name to PolPrDmN/PolAcDmN format using this Javascript form:

Workgroup/domain name:
PolPrDmN/PolAcDmN format:

6. Updating registry: Winlogon defaults

Default user and domain name for Windows logon screen is stored in the Registry under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon key:

Value Name and Type Meaning
DefaultUserName:REG_SZ Default user name (first copy)
AltDefaultUserName:REG_SZ Default user name (second copy)
DefaultDomainName:REG_SZ Default domain name (first copy)
AltDefaultDomainName:REG_SZ Default domain name (second copy)

Usually default domain name is set and default user name is left blank, so it has to be entered manually on each logon.