3

Due to some mistakes, I have a lot of machines that seem to be bound to Active Directory (AD) from their side, but not from the side of the AD. The machines thinks they are still in the AD, but the AD disagrees.

This results in the well known "The trust relationship between this workstation and the primary domain failed" error when trying to log on.

I would like to either remotely/programmatically reset the ComputerMachinePassword or remotely/programmatically take them out of the AD and then join them to the AD again. But I can't even have them leave the AD by any command. I did try a lot of approaches, ranging from PowerShell over WMIC up to netdom, usually always getting a "permission denied" error. I have tried with both the domain admin and the local admin (and combinations), remotely and on the machine itself.

I can, however, remove the machine via the GUI. I'd prefer not to do this with around 100 computers though ;)

The problem seems to be that the machine itself wants to see AD admin permissions for it to be removed, which I can't get (as the AD will not give it (anymore)).

Is there any way to remove the machines from AD (or make then not AD-bound anymore) by command line, when they are in this state?

Kai Hatje
  • 143
  • 4
  • One way to do this programmatically would be to temporarily change the machine's DNS settings so it can't find a DC, flush the DNS cache, remove it from the domain, then reconfigure the DNS settings. You'll want to thoroughly test such code lest you lock yourself out of the machine due to non-working DNS. Alternatively, you could create a temporarily firewall rule to block outbound DNS lookups to your DCs. That might be less risky. – I say Reinstate Monica Apr 30 '17 at 17:39
  • That sounds promising. Might try that when I get back to work. Thank you :) – Kai Hatje May 01 '17 at 13:17
  • Kai, to bulk remove Computer objects from Active Directory, you could dump the computer names in a text file and then remove them with a Powershell line. Get-Content -Path C:\ComputersToRemove.txt | Remove-ADComputer -WhatIf Being a prudent sysadmin, I use -WhatIf before performing any serious action :p haha – Art.Vandelay05 May 02 '17 at 15:56
  • The problem pretty much "fixed itself". It initially came from trying to have macOS machines with the same name in the AD as well. Those macOS machines were removed. With some time, the Windows machines "regained" the trust and it is now possible to log in again. I think I will leave this as a comment, not an answer, as it doesn't really answer the original question. Am I right in that? Thanks to everyone who answered or commented :) – Kai Hatje May 03 '17 at 19:23

1 Answers1

0

Have you tried the Reset-ComputerMachinePassword powershell commandlet? I think you would need to run this command as a local administrator account, and use the -Credential option to give it a domain account with the proper rights to the computer account objects.

Cory Knutson
  • 1,876
  • 13
  • 20
  • Yes I have, but as it doesn't support supplying a password directly and I don't have System.Management.Automation installed to create a PSCredential object, I couldn't use that approach via the command line. – Kai Hatje May 02 '17 at 08:05