Resetting Computer Accounts in Windows 2000

ID: Q216393

The information in this article applies to:

Microsoft Windows 2000 Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Advanced Server

SUMMARY

For each Windows 2000 workstation or server that is a member of a domain, there is a discrete communication channel, known as the secure channel, with a domain controller.

The secure channel's password is stored along with the computer account on all domain controllers. For Windows 2000, the default computer account password change period is every 30 days. If, for some reason, the computer account's password and the LSA secret are not synchronized, the Netlogon service logs one or both of the following errors messages:

The session setup from the computer DOMAINMEMBER failed to authenticate. The name of the account referenced in the security database is DOMAINMEMBER$. The following error occurred: Access is denied.

NETLOGON Event ID 3210:
Failed to authenticate with \\DOMAINDC, a Windows NT domain controller for domain DOMAIN.

The Netlogon service on the domain controller logs the following error message when the password is not synchronized:

NETLOGON Event 5722:
The session setup from the computer %1 failed to authenticate. The name of the account referenced in the security database is %2. The following error occurred: %n%3

This article describes four ways of resetting computer accounts in Windows 2000. These methods are:

Using the Netdom.exe command-line tool, which is provided in the Windows 2000 Resource Kit
Using the Nltest.exe command-line tool, which is also provided in the Windows 2000 Resource Kit
Using the Active Directory Users and Computers Microsoft Management Console (MMC)
Using a Microsoft Visual Basic script

These tools allow for remote and non-remote administration.

MORE INFORMATION

Netdom.exe

For each member, there is a discrete communication channel (the secure channel) with a domain controller. The secure channel is used by the Netlogon service on the member and on the domain controller to communicate. Netdom makes it possible to reset the secure channel of the member.

Suppose you have a domain member named DOMAINMEMBER. You can reset the member secure channel by using the following command:

netdom member \\domainmember /joindomain

You can run this command on the member DOMAINMEMBER or on any other member or domain controller of the domain, provided that you are logged on with an account that has administrator access to DOMAINMEMBER.

The domain controller's secure channel can be reset by using the following command:

netdom bdc mybdc /reset

Nltest.exe

Nltest.exe can be used to test the trust relationship between a computer running Windows 2000 that is a member of a domain and a domain controller on which its machine account resides.

C:\Ntreskit\Nltest.exe

Usage: nltest [/OPTIONS]

/SC_QUERY:DomainName - Query secure channel for domain on ServerName

/SERVER:ServerName

/SC_QUERY:DomainName - Verifies the secure channel in the specified domain for a local or remote workstation, server, or domain controller.

Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\server.windows2000.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

Active Directory Users and Computers (DSA)

With Windows 2000, you can also reset the machine account from within the graphical user interface (GUI). In the Active Directory Users and Computers MMC (DSA), you can right-click the computer object in the Computers or appropriate container and then click Reset Account. This resets the machine account. Resetting the password for domain controllers using this method is not allowed.

Microsoft Visual Basic Script

You can use a script to reset the machine account. You need to connect to the computer account using the IADsUser interface. You can then use the SetPassword method to set the password to an initial value. The initial password of a computer is always "computername$".

The following sample scripts may not work in all environments and should be tested before implementation. The first example is for Windows NT 4.0 computer accounts and the second is for Windows 2000 computer accounts.

Sample 1


Dim objComputer

Set objComputer = GetObject("WinNT://WINDOWS2000/computername$")
objComputer.SetPassword "computername$"

Wscript.Quit

Sample 2


Dim objComputer

Set objComputer = GetObject("LDAP://CN=computername,DC=WINDOWS2000,DC=COM")
objComputer.SetPassword "computername$"

Wscript.Quit

Additional query words: LSA

Keywords : kbenv kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbhowto