Author Posts

December 3, 2013 at 10:07 am

Thought this would be real simple, but I'm having trouble locating a command/script for duplicating the functionality of Right-click Reset account for a computer object in Active Directory.

We rotate through computer names and preserve the AD accounts of decommissioned servers, normally resetting the account when we are going to image a new system that will inherit the name so it can join the domain as that object.

Is there a way to do that in powershell? Would I have to manually set a password for the computer object and use that to join?

December 3, 2013 at 10:35 am

PowerShell v3 has:
Reset-ComputerMachinePassword

which might work for you in this case.

Alternatively look at
Test-ComputerSecureChannel

December 3, 2013 at 11:14 am

It appears that both of those commands have to be run on the server whose account you wish to reset.

In my case that server does not exist any longer.

December 3, 2013 at 11:35 am

Yeah, that's in part due to the way AD works. The Reset- cmdlet tells the computer, which knows its current password, to reset its password. So, no, won't work if you no longer have the computer.

Microsoft would tell you that you're meant to delete the computer account and then add a new account for the new computer, even if it's the same name. You're not really supposed to "recycle" accounts the way you're doing, which is why I suspect you're not seeing a cmdlet to do it. I've actually not run across an organization that does what you're describing – it's actually something I'd worry about, for stability reasons, since you're obviously getting a re-used SID in there.

Thinking it through, there are potential security issues with what you're doing. Not necessarily in your specific environment, but just in general. If I were Microsoft, I'd worry that putting a computer account into that "reset" state would allow an attacker to spoof the computer name and join the domain. You can't really guarantee that it's the real-for-real "SERVER5" that's re-connecting to the domain, since by definition you've got no mutual authentication happening until afterwards. Again, in your environment I'm sure you guys control for that, but from a product perspective it's something they'd likely worry about – which again makes it less likely they'll try to enable the scenario by providing a cmdlet.

Anyway... I'm not personally aware of a cmdlet that exactly replicates the functionality you're using in the GUI at present. Not saying one doesn't exist – but I've not run across one.

December 3, 2013 at 11:36 am

Fair enough, destroying and recreating the computer accounts is simple enough.

Thanks Don & Richard!

December 3, 2013 at 12:07 pm

When you use the "Reset" option on a computer account in AD Users and Computers, what you're really doing is just setting its password back to the default value (which happens to be the same as the SamAccountName: 'ComputerName$'). Here's an old KB article on the subject (which has sample VBScript, but that's simple enough to convert to PowerShell): http://support.microsoft.com/kb/216393