Reset AD Computer Account?

This topic contains 5 replies, has 4 voices, and was last updated by  Dave Wyatt 3 years, 9 months ago.

  • Author
    Posts
  • #11775

    Kitt Holland
    Participant

    Thought this would be real simple, but I'm having trouble locating a command/script for duplicating the functionality of Right-click Reset account for a computer object in Active Directory.

    We rotate through computer names and preserve the AD accounts of decommissioned servers, normally resetting the account when we are going to image a new system that will inherit the name so it can join the domain as that object.

    Is there a way to do that in powershell? Would I have to manually set a password for the computer object and use that to join?

  • #11782

    Richard Siddaway
    Moderator

    PowerShell v3 has:
    Reset-ComputerMachinePassword

    which might work for you in this case.

    Alternatively look at
    Test-ComputerSecureChannel

  • #11783

    Kitt Holland
    Participant

    It appears that both of those commands have to be run on the server whose account you wish to reset.

    In my case that server does not exist any longer.

  • #11784

    Don Jones
    Keymaster

    Yeah, that's in part due to the way AD works. The Reset- cmdlet tells the computer, which knows its current password, to reset its password. So, no, won't work if you no longer have the computer.

    Microsoft would tell you that you're meant to delete the computer account and then add a new account for the new computer, even if it's the same name. You're not really supposed to "recycle" accounts the way you're doing, which is why I suspect you're not seeing a cmdlet to do it. I've actually not run across an organization that does what you're describing – it's actually something I'd worry about, for stability reasons, since you're obviously getting a re-used SID in there.

    Thinking it through, there are potential security issues with what you're doing. Not necessarily in your specific environment, but just in general. If I were Microsoft, I'd worry that putting a computer account into that "reset" state would allow an attacker to spoof the computer name and join the domain. You can't really guarantee that it's the real-for-real "SERVER5" that's re-connecting to the domain, since by definition you've got no mutual authentication happening until afterwards. Again, in your environment I'm sure you guys control for that, but from a product perspective it's something they'd likely worry about – which again makes it less likely they'll try to enable the scenario by providing a cmdlet.

    Anyway... I'm not personally aware of a cmdlet that exactly replicates the functionality you're using in the GUI at present. Not saying one doesn't exist – but I've not run across one.

  • #11785

    Kitt Holland
    Participant

    Fair enough, destroying and recreating the computer accounts is simple enough.

    Thanks Don & Richard!

  • #11787

    Dave Wyatt
    Moderator

    When you use the "Reset" option on a computer account in AD Users and Computers, what you're really doing is just setting its password back to the default value (which happens to be the same as the SamAccountName: 'ComputerName$'). Here's an old KB article on the subject (which has sample VBScript, but that's simple enough to convert to PowerShell): http://support.microsoft.com/kb/216393

You must be logged in to reply to this topic.