Windows 7 / Security and Privacy

Troubleshooting Computer Accounts

As an administrator, you may see a variety of problems related to computer accounts. When you are joining a computer to a domain, you may experience problems due to incorrect network settings. The computer joining the domain must be able to communicate with the domain controller in the domain. You can resolve connectivity problems by configuring the computer's local area network connection settings appropriately for the domain to which you are connecting. Be sure to check the IP address, default gateway, and DNS server settings.

Another common problem is related to insufficient permissions The user joining the computer to the domain must have appropriate permissions in the domain. Be sure to use an account with appropriate permissions to join the domain.

After a computer is joined to a domain, you sometimes may see problems with the computer password or trust between the computer and the domain. Diagnosing a password/trust problem is fairly straightforward. If you try to access or browse resources in the domain and are prompted for a user name and password when you normally are not, you may have a password/trust issue with the computer account. For example, if you are trying to connect to a remote computer in Computer Management, and you are repeatedly prompted for a user name and password where you weren't previously, the computer account password should probably be reset.

You can verify a password/trust problem by checking the System event log. Look for an error with event ID 3210 generated by the NETLOGON service. The related error message should read as follows:

This computer could not authenticate with RESOURCENAME, a Windows domain controller for domain DOMAINNAME, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

As part of the troubleshooting process, you should always check the status of the account in Active Directory Users And Computers. A disabled account has a white circle with a down arrow. A deleted account will no longer be listed, and you won't be able to search for and find it in the directory. If a user was trying to connect to a resource on a remote computer, the computer to which they are connecting should have a related error or warning event in the event logs.

If the related computer account is disabled or deleted, you will be denied access to remote resources when connecting to those resources from this computer. As an example, if you are trying to access FileServer75 from CustServicePC83 you will be denied access if the computer account is disabled or deleted. The system event log on the remote computer (FileServer75) should log related NETLOGON errors specifically related to the computer account, such as the following with event ID 5722:

The session setup from the computer CORPPC18 failed to authenticate. The name(s) of the account(s) referenced in the security database is CORPPC18$. The following error occurred: Access is denied.

With Kerberos authentication, a computer's system time can affect authentication. If a computer's system time deviates outside the permitted norms set in group policy, the computer will fail authentication.

If you are still experiencing problems, check the computer's group membership and the container in which it is located in Active Directory. Computer accounts, like user accounts, can be made members of specific groups and are placed in a specific container in Active Directory. The group membership of a computer determines many permissions with regard to security and resource access. Changing a computer's group membership can significantly affect security and resource access. The container in which a computer is placed determines how Group Policy is applied to the computer. Moving a computer to a different container or OU can significantly affect the way policy settings are applied.

[Previous] [Contents]

In this tutorial:

  1. Managing Users, Groups, and Computers
  2. Managing Domain User Accounts
  3. Configuring User Account Policies
  4. Enforcing Password Policy
  5. Configuring Account Lockout Policy
  6. Creating Password Settings Objects and Applying Secondary Settings
  7. Understanding User Account Capabilities, Privileges, and Rights
  8. Assigning User Rights
  9. Creating and Configuring Domain User Accounts
  10. Configuring Account Options
  11. Configuring Profile Options
  12. Troubleshooting User Accounts
  13. Implementing and Creating Preconfigured Profiles
  14. Configuring Local User Profiles
  15. Implementing Mandatory User Profiles
  16. Managing User Data
  17. Using Offline Files
  18. Configuring Offline Files on Clients
  19. Maintaining User Accounts
  20. Moving User Accounts
  21. Resetting a User's Domain Password
  22. Creating a User Account Password Backup
  23. Managing Groups
  24. Understanding the Scopes of Groups
  25. Creating a Group
  26. Creating group accounts at the command line
  27. Modifying Groups
  28. Managing Computer Accounts
  29. Moving a Computer Account
  30. Configuring Properties of Computer Accounts
  31. Troubleshooting Computer Accounts