Active Directory PC account change

I have a question for Active Directory/DC experts. If I edit some attributes on a domain member PC account (Windows 7 client), can it by any bad luck affect the DC at the point that Active Directory Users & Computers can't open on the server anymore?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

lsud00d

Were you editing in ADUC, ADSI, or via power shell?

Are you seeing anything in event viewer related to the ADUC issue? What do you mean by it can't open?

On the surface I haven't seen anything you're describing. Can you open other AD tools?

TLeTourneau

At first glance and without more detail I'd say generally not. I'm with lsud00d, need more details. What tool were you using and what attributes were you changing?

JasminLandry

You guys are right, not enough details. I'll explain what happened. Two weeks back, a colleague changed the name of a PC that was joined to the domain. So when he restarted and tried to login, it had an error similar to: the trust relationship between this workstation and the primary domain failed. So we couldn't login to the domain anymore. And my colleague lost the local admin password (he got **** for that) and we didn't have time to use a password recovery tool. I ended up going to ADUC (by using the console only.. from the admin tools installed on my PC). Edited some attributes (PC properties and going to the Attributes Editor tab). There I changed a couple of settings for 2 attributes that I don't remember on top of my head. Anyway, right after that change, we could log into the domain, fix all the mistake that was done on it and blah blah blah. Now today, 2 weeks later, my boss comes to see me and says they can't do backups anymore on the DC and when he RDPs to the server using "drum roll"... the domain admin password, he can't open ADUC (I didn't see the error message unfortunately). I don't know if he tried any other consoles. We are able to login remotely using our regular accounts but not physically on the server and with the domain admin.

JasminLandry

JasminLandry wrote: »

There I changed a couple of settings for 2 attributes that I don't remember on top of my head.

They are: dNSHostName and servicePrincipal Name!

lsud00d

I don't see those 2 attributes, let alone any object attributes, causing issue with opening up ADUC. If there are issues opening other components there might be corruption in the .dit but it's not like you directly edited the schema or anything...I think y'all are good (as far as not getting in trouble for this one

)

jibbajabba

lsud00d wrote: »

I think y'all are good (as far as not getting in trouble for this one )

Only if your management actually understands the technology. I got trouble from causing a VMware issues, which I even could prove with support tickets that it wasn't caused by anything I did - VMware was black magic to him so I had to take the "hit" ...

puertorico1985

I'm with lsud00d. Changing attributes on a workstation should not cause any problems opening ADUC on the server. The way the name was changed was not the proper way to do so (due to SIDs) but ADUC not opening is not an issue that was caused by changing attributes.

TLeTourneau

Changing those entries should not produce the problems you are seeing. You should however remove the workstation from the domain and rejoin to clear up some issues that can be caused by the way the AD was edited.

You need to look at the logs for any specific errors to troubleshoot the problem.

lsud00d

jibbajabba wrote: »

Only if your management actually understands the technology.

Hodgepodge, just tell 'em TE said so