Can't Login After Domain to Workgroup Change in Windows
It's easy to leave domain on the Windows workstation, but it's hard to get back if it turns out that none of local administrator accounts were functional. Also you can run into similar issues if you mistype the domain name when rejoining the domain. Fortunately, this situation is easily fixable using Emergency Boot CD.
This article explains how to restore computer membership in the domain, how to rejoin computer back to the domain, if you can't login after domain to workgroup change in Windows.
1. Description of the problem
After changing from Domain to Workgroup via Control Panel -> System or My Computer -> Properties your computer no longer allows you to log on.
But leaving the domain was a wrong move: all local accounts are locked, therefore there's no way to rejoin the domain.
2. How to fix the problem
You may unlock local Administrator profile and reset local Administrator password with Emergency Boot CD. However, in this case your old profile of domain user will be lost, including Desktop shortcuts, My Documents, application settings in HKEY_CURRENT_USER registry hive, browser favorites list, stored sessions and passwords.
There's a way to gain access to the computer and preserve your profile of domain user: rejoin the old domain offline of Windows, by editing Registry directly.
Emergency Boot CD is a powerful toolset to fix unbootable computers and recover data from them. One of EBCD tools is an offline Registry Editor, which can make changes to the Windows Registry from the outside of Windows.
There is a set of registry values that must be concordantly changed in order to switch from Workgroup to Domain or vice versa.
3. Updating registry: TCP/IP and NetBIOS parameters
Registry values which identify domain membership of the NT workstation are stored under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key:
Also NetBIOS computer name is stored in registry values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName:REG_SZ and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName:REG_SZ. If you change TCP/IP hostname, then it's recommended to update NetBIOS name too.
4. Updating registry: LSA policy database
LSA is an acronym for Local Security Authority. LSA Policy Database must be edited manually to rejoin NT domain. LSA Policy Database is stored under HKEY_LOCAL_MACHINE\SECURITY\Policy key. This key is not readable from Windows regedit.exe from local administrator account, but it is readable and writeable from SYSTEM account and thus EBCD registry editor can read and write it too:
In order to rejoin the domain manually, please copy PolAcDmN + PolAcDmS values from Domain Controller to PolPrDmN + PolPrDmS values on the Workstation.
5. If you don't have raw access to Domain Controller registry
If you don't have raw access to Domain Controller registry, you can extract cached domain SID from user account list stored in local registry. Look at the registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-*. Find the user with appropriate ProfileImagePath value and copy his or her Sid value.Example user SID:
01:05:00:00:00:00:00:05:15:00:00:00:D5:CB:5C:58:43:17:0A:32:07:E5:3B:2B:EB:03:00:00Domain SID derived from example user SID (last 4 bytes dropped):
6. Updating registry: Winlogon defaults
Default user and domain name for Windows logon screen is stored in the Registry under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon key:
Usually default domain name is set and default user name is left blank, so it has to be entered manually on each logon.