Resetting a computer account

Dracula28 · June 2012

I am currently working on my 70-640 exam, and therefore I'm going through the MS training kit (second edition) . On page 235 I noticed the following:

The author tells us in case the computer looses its secure channel with the domain, to not remove the computer from the domain, join it to a work group and then rejoin it to the domain. That might result in the computer account in AD being deleted (but does it? usually the computer account is disabled, when the computer is removed from the domain). But rather one should reset the computer account in AD. But then we are told to re-join the computer as step 3 on page 236.

So what the author really wants to convey on page 235 is that you should not remove the computer from the domain, but rather FIRST reset the computer account in AD, and THEN remove it from the domain and rejoin the domain. Am I getting this right, or did I miss something? Weird that the author tells us to no tremove and rejoin on page 235, but then tells to do just that on page 236, without really elaborating.

Psoasman · June 2012

Every now and then we have a computer that will not allow a domain logon due to loosing the trust, etc. I just join it to a workgroup and then re-add it to the domain. Changing the computer to a workgroup won't remove it in AD. You may run into a permissions issue when trying to re-add the computer to the domain, as there will be a computer with the same name already present. If I remember right, you need a domain admin or higher to re-add a computer with the same name to AD.

7lowe · June 2012

When you remove a computer from the domain it asks you to enter the credentials of someone with rights to do it. According to my boss, if you put your domain admin credentials there then it will delete the computer account from AD. I just took his word for it, left it blank & hit OK.

Typically, we then reset the computer account and then rejoin the domain.

As to what the author intends, I'm not really sure & I'm not sure if it matters whether you reset the account before or after pulling the computer from the domain & joining it to a work group. I've done it both ways & they seemed to work the same.

kj0 · June 2012

I just read through this section last week. I understood it as though if a computer has not connected to the domain for 30 days the Password can get out of sync and cause a Trust issue. In resetting the account on the Domain the account will reset and be ready to accept a new connection from the workstation that has the Same ID. so when you make the Workstation a part of workgroup, restart and then join back to the domain, the connection will be recreated and should be all sweet.

I was surprised it didn't mention Trust Relationship where the Object has gone missing in AD (I mean really missing and has been deleted - but not by a user) and has to be rejoined to the network and resetting the account does not work. It's the only one I have come across (about 400 times in the last year) and I have not seen anything like the examples they talk about in the book.

SephStorm · June 2012

I know when we have issue, we remove the pc from the domain, then reset (or delete and recreate, depending on the admin) the account in AD, then finally re-add the pc to the domain.

If you are getting the "this computer was created using a different set of credentials error, change the group that is able to join the computer to the domain to sys admins, or whatever group your account is in. by default, it will say domain admins, which is what Psoasman was talking about.

FYI, I just leaned that this week.

EXAMPLE:

Resetting a computer account

Comments