Computer account no longer in AD, but computer still thinks it's domain member

All replies

• 

  

  0

  Sign in to vote

  Hello,

  Disjoin client from domain and rejoin to domain again.

  Regards

  • Proposed as answer by Santhosh Sivarajan-MVP Thursday, October 18, 2012 1:01 AM
  • Marked as answer by Mayday IT Friday, October 26, 2012 1:14 PM

  Wednesday, October 17, 2012 11:10 PM
• 

  

  0

  Sign in to vote

  I knew I could do it that way, but I was hoping there may be another solution out there.  It happens more often than I'd like, and it would sure be nice to find a quick solution.

  Thanks.
  

  Thursday, October 18, 2012 2:01 AM
• 

  

  0

  Sign in to vote

  I knew I could do it that way, but I was hoping there may be another solution out there.  It happens more often than I'd like, and it would sure be nice to find a quick solution.

  Thanks.
  

  
  

  Hi,

  No, there is no other way. As the computer account was removed from Active Directory, to resolve this, you need to disjoin the problem workstations and again join it to the domain.

  Read more about computer account creation, password sharing, authentication..etc.
  Typical Symptoms when secure channel is broken
  http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx

  ---

  Best regards,
  
  Abhijit Waikar.
  MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
  Blog: http://abhijitw.wordpress.com
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

  • Proposed as answer by Arthur_LiMicrosoft contingent staff Thursday, October 18, 2012 7:41 AM

  Thursday, October 18, 2012 2:15 AM
• 

  

  0

  Sign in to vote

  Hi,

   

  I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

  Regards,

  Arthur Li

  TechNet Subscriber Support

  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

  ---

  Arthur Li

  TechNet Community Support

  

  Friday, October 26, 2012 3:05 AM
• 

  

  0

  Sign in to vote

  Thanks Arthur.

  In the end, I bit the bullet and made a nice little batch file that used netdom to rejoin the domain.  It's not the prettiest thing in the world, but it's quick and it works :).

  • Proposed as answer by Ace Fekay [MCT] Friday, October 26, 2012 4:15 AM
  • Marked as answer by Mayday IT Friday, October 26, 2012 1:15 PM

  Friday, October 26, 2012 4:01 AM
• 

  

  0

  Sign in to vote

  Thanks Arthur.

  In the end, I bit the bullet and made a nice little batch file that used netdom to rejoin the domain.  It's not the prettiest thing in the world, but it's quick and it works :).

  The other way could be reset the computer account in the AD, instead of deleting the object during disjoin & join it back with same name.

  ---

  Awinish Vishwakarma - MVP

  My Blog: awinish.wordpress.com

  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

  Friday, October 26, 2012 8:36 AM
• 

  

  0

  Sign in to vote

  In addition you also need to check who deleted the computer object if auditing is enabled then you can track the same.If it is not enabled then I would to configure the same.
  
  AD DS Auditing Step-by-Step Guide
  http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx
  
  Rejoin a domain
  http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/ca41e39a-49c1-4c7b-a415-6295099f7002/
  
  How do Rejoin a Computer to the Domain without Losing it’s SID
  http://www.thirdtier.net/2012/02/how-do-rejoin-a-computer-to-the-domain-without-losing-its-sid/

  Hope this helps

  ---

  Best Regards,
  
  Sandesh Dubey.
  
  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
  
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  Friday, October 26, 2012 8:52 AM
• 

  

  0

  Sign in to vote

  You could authoritatively restore the computer account from the most recent AD backup - but between the two options, I'd expect that rejoining the computer to the domain would be the less intrusive/work intenstive

  hth
  Marcin

  Friday, October 26, 2012 11:29 AM
• 

  

  0

  Sign in to vote

  I have a computer that was joined to the domain, but somehow, the computer account was removed from Active Directory.  The machine still thinks it's joined to the domain, and its main user still has cached credentials.

  That is normal that the user keeps logging in using the cached credentials. This is true since the computer is not communication with your AD environment. The next time that the user will connect his computer to the AD domain, the authentication will get rejected and he will no longer be able to login again - Only local accounts will work at that time.

  So, to make things more clear, the removal was done from AD side but the computer is not aware as it is not connected to AD. The next time it communicates with AD, it will notice this change and refuse the logon.

  Now, since you removed the account, you can try two things:

  • Authoritative restore of the account you removed
  • Disjoin and join again the computer to the domain

  Of course, the second option is the easier one. However, that requires access to the computer using a local Administrator account. If you have no local access, you may try to use DART to reset the local password and join again the computer to the domain.

  This should help for future issues similar like that!

  Recommendation: As the maintenance of AD may require removal of obsolete / unused accounts, enterprises may do cleanup tasks by removing old computer accounts. Unfortunately, this will cause impacts on the computers if they were back again. That is why, I would recommend disabling computer accounts instead of removing them as part of the cleanup process. Once you are sure that the accounts are no more used, you can proceed with the removal.

  ---

  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

  Microsoft Student Partner 2010 / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator: Security
  Microsoft Certified Systems Engineer: Security
  Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist: Windows 7, Configuring
  Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
  Microsoft Certified IT Professional: Enterprise Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

  
  

  • Edited by Mr XMVP Friday, October 26, 2012 11:34 AM

  Friday, October 26, 2012 11:32 AM
• 

  

  0

  Sign in to vote

  That would work if the computer account was still in AD, but it wasn't, so there was nothing to reset.

  Friday, October 26, 2012 1:16 PM