This one’s a peach – how many times have you encountered it?? I know my personal tally is well into double figures… There is a quick and easy fix for it though (and no I don’t mean removing and re-joining the computer from the domain and all the hassle that creates!).

First you’ll need to log in as a local administrator, then if you have Powershell (and by god you should do!) just run this command sequence:

$credential = Get-Credential – (enter domain admin account when prompted)
Reset-ComputerMachinePassword -Credential $credential -Server dc-hostname.domain

#EDIT: On Powershell versions below 3.0 the -credential paramater is not supported (as explained in this KB). If you enter it you’ll get the following error:

Reset-ComputerMachinePassword : A parameter cannot be found that matches parameter name ‘credential’.
At line:1 char:42
+ reset-computermachinepassword -credential <<<<
+ CategoryInfo : InvalidArgument: (:) [Reset-ComputerMachinePassword], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.ResetComputerMachinePasswordCommand

If you see this error just use:

Reset-ComputerMachinePassword -Server dc-hostname.domain

And you’ll be prompted for credentials!

/EDIT

Alternatively, you can download the Microsoft Remote Server Administration Tools, then use the following from an elevated cmd prompt:

netdom.exe resetpwd /s:dc-hostname.domain /ud:domainadminusername /pd:* (enter the domain admin password when prompted)

Simple as that! Source: implbits.com

/EDITAGAIN

Another command that also works (better than the above apparently):

Test-ComputerSecureChannel -Repair -Credential (get-credential)


Categories: Uncategorized


14 Responses so far.


  1. JeffM says:

    Last fix worked wonderfully for me. Thank you John and Google.

  2. JeffM says:

    James rather. 🙂

  3. Patrick says:

    Powershell fix worked perfectly. Thanks for the article!

  4. Matt says:

    I had PS version 2.0 installed (you can check your version by using $psversiontable) and omitting the -Credential switch did not prompt me for credentials. Instead it just said “Access Denied”.

    I had to upgrade PS to version 3.0 and then the command with the -Credential switch worked great as explained.

    You can download PS 3.0 here: http://www.microsoft.com/en-us/download/details.aspx?id=34595

    Thanks for the info!!

  5. extremesanity says:

    Attempting to use this command threw error “the server is not operational”.

    I ran this command and now I can log into the server correctly:

    Test-ComputerSecureChannel -Repair -Credential -Verbose

    • sean says:

      this one worked for me without a server restart. thanks!

    • Tom says:

      What happens when this repair fails?

      • Tom says:

        So actually, what we did when the repair failed was to disjoin it from the domain, put it in a workgroup, reboot, and rejoin it, and reboot again. Then it accepted a domain login after that with no issues.

    • Tom says:

      This didn’t work on a member server I ran into, nor anything else here. I had to disjoin and rejoin it to the domain. Then the computer account would disable. Enable it in AD, then you get the error in the title of this page. Key was to remove it from the domain, reboot, reset the computer account on ALL Domain Controllers, then rejoin it and reboot. No problem since, after it was dropping off repeatedly when we didn’t reset the computer account, previously.

Leave a Reply