This trick comes to be via my Active Directory study group. I suggest that everyone join a usergroup and/or a study group. It’s not that we don’t know AD, it’s that we forget or miss new features. A refresher course is fun too.

Occasionally a computer will come “disjoined” from the domain. The symptoms can be that the computer can’t login when connected to the network, message that the computer account has expired, the domain certificate is invalid, etc. These all stem from the same problem and that is that the secure channel between the computer and domain is hosed. (that’s a technical term. )

The classic way to fix this problem is to unjoin and rejoin the domain. Doing so is kind of a pain because it requires a couple of reboots and the user profile isn’t always reconnected. Ewe. Further if you had that computer in any groups or assigned specific permissions to it those are gone because now your computer has a new SID, so the AD doesn’t see it as the same machine anymore. You’ll have to recreate all of that stuff from the excellent documentation that you’ve been keeping. Uh, huh, your excellent documentation. Double Ewe.

Instead of doing that we can just reset the secure channel. There are a couple of ways do this:

1. In AD right click the computer and select Reset Account. Then re-join without un-joining the computer to the domain. Reboot required.
2. In an elevated command prompt type: dsmod computer “Computer DN” – reset. Then re-join without un-joining the computer to the domain. Reboot required.
3. In an elevated command prompt type: netdom reset MachineName /domain DomainName /User0 UserName /Password0 {Password | *} The account whose credentials you provided must be a member of the local administrators group. No rejoin. No reboot.
4. In an elevate command prompt type: nltest /Server:ServerName /SC_Reset:Domain\DomainController  No rejoin. No reboot.

My usergroup has an Active Directory study group going of which I am a member. Each week we review a chapter in the wonderful “Configuring Windows Server 2008 Active Directory 2nd Edition” self-paced training kit. The authors have done a fantastic job. All the members of the group are experienced long time IT professionals. We have 3 consultants, 2 internal IT and 1 looking for an internal IT position as members. We all have many years experience but decided that a refresher course was a good idea. Sure we all know how to use the basics in AD but we have probably missed some Best Practices, Tips and Tricks along the way. We’ve probably also forgotten some things that we knew but didn’t use often enough. This is the reason for the study group and all of the above has been absolutely true. It’s been fun as well, since we all have years of experience we bring those examples to the table and it makes for great geek conversation.

Here are a couple of the items that have made my Best Practices list so far:

Protecting from Accidental Deletion Now here is an under the radar item that is going to prove very useful. You can now protect OU’s, Containers, Groups and Objects from accidental deletion. It is as simple as a checkbox and for most new items in AD the box is checked by default. But for existing items it is not. You’ll need to go in and retro fit those with protection.

If you have a big complex AD then you can use PowerShell to fit the whole thing with this protection. But what is that Check box actually doing? It is changing the ACE permissions on the object. When that box is checked an ACE is added to Deny Everyone group Delete and Delete Subtree.

This isn’t the kind of thing that you’ll find yourself needing often (I hope) but now that you’ve read this, if you don’t go and set that check box you’ll kick yourself later.

Redirecting the Default Computer and User Containers New computers and users being left in the Computers and Users containers for long periods of time has long been one of my pet peeves. It distresses me that no one notice that this person or computer has not been subject to Group Policy, as the rest of the domain is. So when I found this little gem, it made my day.

The commands are: RedirCmp and RedirUsr to redirect anything that lands in the Computers container and the Users container respectively.

The command is entered in an elevated command prompt like this: redircmp “DN of OU for new computer objects”  So simple!  But you do need to be careful. Take a look at the Computers containers after you do this, there is no reference that it’s been redirected. Therefore, TODO make a note in the description of the container to remind you and future IT admins that this container is redirected and to where.

I have a few more items that have made my BP list but I’ll save those for another post. Keep reading!