Netdom Functionality - Expired server domain passwords. RRS feed

  • Question

  • Hi,

    I am trying to find a way to reset the domain password between development machines (that are sometimes turned off for several months - or booted as other machines) and the domain in our development lab. I have not had great results.

    I've been experimenting with the Netdom reset cmd (W2K3 R2) and I cannot get the server to reset it's password with the domain unless the machine has a valid trusted connection to the domain.

    If I can logon to the server with a domain account (the machine account has a valid password in AD) I can run the netdom reset with no issues - But why would I want to?

    If I cannot logon to the server with a domain account (the machine password has either been reset or expired) and use the local server administrator account the netdom reset cmd does not work and I get an access is denied message. - But isn't this why you would want to run the reset?

    The syntax I use is the same:
    netdom reset "MyServerName" /domain:"mydomain" /UserO:"MyServerName\administrator" /PasswordO:"The-local-admin-PW"

    Unfortunately there is no option for the /UserD (domain user).

    I have also tried the NLTest but have had no better results.

    Does anyone know of a version of netdom that would work to reset computer passwords of dsjoined servers or know of another utilityu that would help me accomplish what I'm trying to do?

    Thanks in Advance,

    Monday, October 19, 2009 7:11 PM

All replies

  • Hello HG,

    This is well documented here:

    1. At a command prompt, type the following command:
    2. netdom resetpwd /s:server /ud:domain\User /pd:*
    3. A description of this command is:
    4. /s:server is the name of the domain controller to use for setting the machine account password. This is the server where the KDC is running.
    • /ud:domain\User is the user account that makes the connection with the domain you specified in the /s parameter. This must be in domain\User format. If this parameter is omitted, the current user account is used.
    • /pd:* specifies the password of the user account that is specified in the /ud parameter. Use an asterisk (*) to be prompted for the password.
    1. For example, the local domain controller computer is Server1 and the peer Windows domain controller is Server2. If you run Netdom.exe on Server1 with the following parameters, the password is changed locally and is simultaneously written on Server2, and replication propagates the change to other domain controllers:
    2. netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:*

    Isaac Oben MCITP:EA, MCSE
Monday, October 19, 2009 7:28 PM
  • Hi Issac,

    Thank you but I have read all the documentation from that I could get a hold of (for NT4, 2K, XP, 2K3 and 2K8).
    Bottom line is that if you try to use the netdom resetpwd from a member server that has an expired domain password you will receive the message below: (Yes, I did use the RunAs for the cmd prompt)

    The machine account password for the local machine could not be reset.
    The specified domain either does not exist or could not be contacted,
    The command failed to complete successfully.

    Now if I use the:
    netdom remove "servername" /d:domain /userd:domain\user passwordd:my password /userO:local admin passwordO:local password

    followed by the:

    netdom join "servername" /d:domain /userd:domain\user passwordd:my password /userO:local admin passwordO:local password /OU:my ou /reboot:10

    Then the machine will leave and rejoin the domain correctly - so it's not that the domain cannot be reached (the error above is therefore bogus).

    Bottom line is that the resetpwd option is more for domain controllers and the reset option does not work if the machine has an expired AD password. (I have not tried the resetpwd on a DC and hopefully will never need to)

    This is not the functionality I'm looking for. What I would like (wishful thinking of course) is to put a working script or cmd file in the runonce key of the registry before shutting down for any prolonged time. The netdom or NLTest should be able to fit the bill but they do not act as documented and this is apparent searching on the internet since I have not found one post or site that can actually say they have used this command with an expired machine successfully.

    It would be nice if this utility would work as documented.



    • Proposed as answer by winntermute Thursday, November 8, 2012 1:51 PM
    • Unproposed as answer by winntermute Thursday, November 8, 2012 1:51 PM
    Tuesday, October 20, 2009 12:57 PM
  • Hi Henry,

    I agree with you. I have been working with this Tool for quite a while now and i have also experienced same issues. 'Netdom Resetpwd' does not works with Member Servers everytime. It works like a Charm with the Domain Controllers though. The best way to Reset a Client or Member Server's Password is to Unjoin and Rejoin it back to the Domain.
    Once done make sure to Force the Replication across as the information of the New Password for that machine should reach to all the available DC's.

    Note: Netlogon is responsible for Re-setting the Passwords of Domain Machines every 30 days. The Password then is Replicated to all the Domain Controllers in the Environment.

    Tuesday, October 20, 2009 11:28 PM
  • Hi,

    That's what I had thought.
    I suppose I could put the 2 commands (Remove & Join in my earlier post) into a cmd file and place it in the runonce key although I don't like the idea of having to reboot.

    Until MS or someone else comes up with a working "reset" for a disjoined machines domain PW I guess this will have to suffice.

    Thanks All.

    Wednesday, October 21, 2009 4:24 PM
  • Hi Henry,

    Check this out  http://support.microsoft.com/default.aspx/kb/216393

    Wednesday, October 21, 2009 8:17 PM
  • Hi Nitin,

    Thanks for the link.
    I had already come across that article during my investigations.
    The script kind of works but I still had a few issues with it.


    Thursday, October 22, 2009 2:28 PM
  • Hi Henry,

    I understand that you want to reduce the Time required in Reboot after the Machine is joined to the Domain.

    Try this Link. It mentions the same issue --   http://www.visualbasicscript.com/m31779.aspx

    Also see this Link with some additions to the Script --  http://www.minasi.com/forum/topic.asp?TOPIC_ID=4593

    Hope this works out for you.

    Thursday, October 22, 2009 8:32 PM
  • Hi Henry,

    i had the same problem while playing with netdom in my lab for the 70-640 certification.

    one thing i remarked with the computer management is that it seems windows folks are pushing for you to manage your computers in :

    1. GPOs

    2. Remote Shell + remote tools from Windows

    It makes sense because while working, you're not bothering the end user while he's working (that's why i'm pushing really hard for my company to adopt this line of thinking)...

    so, the problem of "access denied" was solved when i tried to run the command through remote shell

    now, it was in a lab in which i didnt really had the Secure channel reset prior the test.

    so, i think this could be worth the try



    Tuesday, May 15, 2012 8:51 AM
  • I was able to regain domain trust by:

    1. unplug the computer and log into the profile 

    2. reconnect to the network

    3. run the connect to a domain wizard. leave everything the same except change the computer name slightly. 

    I did this and the domain trust was regained and the profile was not lost. 

    • Proposed as answer by winntermute Thursday, November 8, 2012 1:55 PM
    Thursday, November 8, 2012 1:55 PM