Recipe16.20.Resetting a Computer Account

Recipe 16.20. Resetting a Computer Account

Problem

You want to test the secure channel of a computer and reset the computer account if it is failing.

Solution

Use the following command to test a secure channel for a computer:

> nltest /server:<ComputerName> /sc_query:<DomainName>

If this command returns errors, such as ERROR_NO_LOGON_SERVERS, try resetting the secure channel using the following command:

> nltest /server:<ComputerName> /sc_reset

If that doesn't help, you'll need to reset the computer account as described next.

Using a graphical user interface

1. From the Administrative Tools, open the Active Directory Users and Computers snap-in.

2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

3. In the left pane, right-click on the domain and select Find.

4. Beside Find, select Computers.

5. Type the name of the computer and click Find Now.

6. In the Search Results pane, right-click on the computer and select Reset Account.

7. Click Yes to verify.

8. Click OK.

9. Rejoin the computer to the domain (Recipe 16.18).

Using a command-line interface

You can use the dsmod utility to reset a computer's password. You will need to rejoin the computer to the domain after doing this:

> dsmod computer  "<ComputerDN>" -reset > dsmod computer "cn=rallen-wxp,cn=computers,dc=rallencorp,dc=com"

Another option is to use the netdom command, which can reset the computer so that you do not need to rejoin it to the domain:

> netdom reset <ComputerName> /Domain <DomainName> /UserO <UserUPN> /PasswordO * > netdom reset rallen-wxp /Domain rallencorp.com /UserO rallen@rallencorp.com /PasswordO *

Using VBScript

' This resets an existing computer object's password to the initial default. ' You'll need to rejoin the computer to the domain after doing this. set objComputer = GetObject("LDAP://<ComputerDN>") objComputer.SetPassword "<ComputerName>"

Discussion

Every member computer in an Active Directory domain establishes a secure channel with a domain controller. The computer's password is stored locally in the form of an LSA secret and in Active Directory. This password is used by the NetLogon service to establish the secure channel with a domain controller. If for some reason the LSA secret and computer password become out of sync, the computer will no longer be able to authenticate in the domain. The nltest /sc_query command can query a computer to verify its secure channel is working. Here is sample output from the command when things are working:

Flags: 30 HAS_IP  HAS_TIMESERV Trusted DC Name \\dc1.rallencorp.com Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully

Here is sample output when things are not working:

Flags: 0 Trusted DC Name Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS The command completed successfully

When you've identified that a computer's secure channel has failed, you'll need to reset the computer, which consists of setting the computer object password to the name of the computer. This is the default initial password for new computers. Every 30 days Windows 2000 and newer systems automatically change their passwords in the domain. After you've set the password, rejoin the computer to the domain since it will no longer be able to communicate with a domain controller due to unsynchronized passwords (the domain controller doesn't know the password has been reset). However, if you use the netdom reset command, it tries to reset the password on both the computer and in Active Directory, which if successful, means you do not need to rejoin it to the domain.

See Also

Recipe 16.18, MS KB 216393 (Resetting Computer Accounts in Windows 2000 and Windows XP), and MS KB 325850 (HOW TO: Use Netdom.exe to Reset Machine Account Passwords of a Windows Server 2003 Domain Controller)