It can be confusing when you go to log into a computer on your domain and you’re suddenly confronted with the message:
Why would you get this message? Typically it happens when the computer you’re trying to log into has had it’s Active Directory account deleted (generally by accident). The Computer account on the Active Directory server has a special key that is generated for authentication reasons and it can’t be recovered if you’re not running a later version of Active Directory with undelete functions turned on.
Unjoin and Rejoin the Domain?
Administrators can get a bit worried when this happens because the usual solution is to unjoin the computer from the domain and then rejoin it. This can result in having users have to create new profiles and other problems that are at a minimum annoying. Thankfully, I can tell you NO, don’t unjoin and rejoin the domain!
Powershell is your Friend
Yes, as odd as it has been, Microsoft has seen the light of the command line world and given us Powershell. If you’re running Powershell v3 or later, you can solve your missing computer Active Directory account very simply. Just do the following:
- Make sure that you have PowerShell v3 installed. If you’re running Windows 7, like this computer was, you’ll need to do 2 steps to upgrade to PowerShell 3. Follow these steps for Installing Windows PowerShell on Windows 7 and Windows Server 2008 R2 and follow the steps in the section with the same name. If you have problems with this, feel free to leave a comment and I’ll do my best to help.
- Create the computer account in Active Directory. If the Active Directory computer account exists already, you can skip this step.
- After you have PowerShell 3 installed, run the following command on your untrusted computer:
$PSCredential = Get-Credential Reset-ComputerMachinePassword -Server <DomainControllerName> -Credential $PSCredential
Once you enter your credentials and the command has completed, your computer should once again be connected to Active Directory and able to authenticate. That’s it! As usual, leave a comment if it helped you.
Thanks Joseph. Going to give this a try. Must admit I always go down the join and unjoin route. What’s interesting is that a school we support have this problem repeatedly, far too often for it to be accidental deletion in AD. Worth a look at event viewer on the domain controller I think. Wondering if a service is not quite doing what it should.
I would agree with you 100%. That’s definitely not normal and something is broken to be causing that problem frequently. At a minimum, this solution could give you some alternatives to the old method. If you find the problem for this repeating regularly, I’d love to hear what it is in case I come across the same thing.
I get this error. Please help
Reset-ComputerMachinePassword : A parameter cannot be found that matches parameter name ‘Credential’.
At line:2 char:64
+ Reset-ComputerMachinePassword -Server co.pia.ca.gov -Credential <<<< $PSCredential
+ CategoryInfo : InvalidArgument: (:) [Reset-ComputerMachinePassword], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.ResetComputerMachinePasswordCommand
You probably have Powershell 1 or 2. Look into upgrading to v4 as the credential flag wasn’t introduced until PS3.0 or later.
Thanks, safes some time rebooting in stuff with going through the join workgroup, rejoin and stuff.
Just to make it a one-liner:
Reset-ComputerMachinePassword -Server -Credential (Get-Credential)
Can someone explain the fields to me? Where do you punch in your credentials?
Jeff,
I’m not sure why my site is moving every piece of the command onto a new line (working on that now) but if you enter those two lines into the powershell CLI, it will prompt you for credentials.
Ah! Thank you for the quick response!
You bet! I know how nice it is to get a prompt response. Glad it helped.
It was worth a try, but it looks like I’ll have to run this by the IT guys anyway:
Reset-ComputerMachinePassword : Cannot reset the secure channel password for the computer account in the domain.
Operation failed with the following exception: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
At line:1 char:1
+ Reset-ComputerMachinePassword -Server MYDOMAINCTRL -Credential (Get-Credential)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (MYMACHINENAME:String) [Reset-ComputerMachinePassword], InvalidOperationException
+ FullyQualifiedErrorId : FailToResetPasswordOnDomain,Microsoft.PowerShell.Commands.ResetComputerMachinePasswordCommand
awesome!
this works perfectly – thanks.
Can you give an example of exactly how to use this command
What do I put as the server the domain controler or the computer that is having the trust relationship issue for instance to I put -computer or just type in computer
for the -credential part am i typing in my credentials?
Sorry I need an example of how to fill in this command with my info
Great post!
You can prevent the error: “The trust relationship between this…” with a domain GPO.
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Source:
http://www.sysadmit.com/2015/08/mware-y-ad-la-relacion-de-confianza-entre-esta-estacion-de-trabajo-y-el-dominio-principal-fallo.html
Excellent!
It worked like a charm and a lot easier than any other article I came across about resetting the machine’s pswd or unjoinjoin the machine to the domain.
Much appreciated!
Logon to machine with admin rights and run the following from PowerShell;
Test-ComputerSecureChannel -Repair
Interesting. That’s super helpful as well. Thanks for sharing.
Dear Mr. Joseph,
Thank you so much for this useful article. By following the above steps I could solve the issue in our server. once again thank you.
Glad to have helped. 🙂
I had a good secure channel (Test-ComputerSecureChannel -Verbose said so when I logged in with local admin) but still had the error when using my domain account. I could not do Reset-ComputerMachinePassword when I continued my troubleshooting as the local admin, since it said “The server is not operational”. Its computer account had mysteriously disabled itself. Re-enabling it gives you “The trust relationship failed” error if you log in with a domain account. I just disjoined the computer, reset the computer account, re-joined it to the domain. Gotta be a better way, though, and something to permanently fix this. “Domain member: Disable machine account password changes” was disabled and “Domain member: Maximum machine account password age” was at 30 days. The server was created from a VM snapshot over 30 days old, but it had been disjoined/re-joined before, and computer account reset, previously – doesn’t that reset the computer account password?
Not working, Showing error Reset-ComputerMachinePassword : A parameter cannot be found that matches parameter name ‘Credential’.
At line:2 char:64
Even after update the powershell version
Any suggestions.