Troubleshooting Computer Accounts
As an administrator, you may see a variety of problems related to computer accounts. When you are joining a computer to a domain, you may experience problems due to incorrect network settings. The computer joining the domain must be able to communicate with the domain controller in the domain. You can resolve connectivity problems by configuring the computer's local area network connection settings appropriately for the domain to which you are connecting. Be sure to check the IP address, default gateway, and DNS server settings.
Another common problem is related to insufficient permissions The user joining the computer to the domain must have appropriate permissions in the domain. Be sure to use an account with appropriate permissions to join the domain.
After a computer is joined to a domain, you sometimes may see problems with the computer password or trust between the computer and the domain. Diagnosing a password/trust problem is fairly straightforward. If you try to access or browse resources in the domain and are prompted for a user name and password when you normally are not, you may have a password/trust issue with the computer account. For example, if you are trying to connect to a remote computer in Computer Management, and you are repeatedly prompted for a user name and password where you weren't previously, the computer account password should probably be reset.
You can verify a password/trust problem by checking the System event log. Look for an error with event ID 3210 generated by the NETLOGON service. The related error message should read as follows:
This computer could not authenticate with RESOURCENAME, a Windows domain controller
for domain DOMAINNAME, and therefore this computer might deny logon requests. This
inability to authenticate might be caused by another computer on the same network
using the same name or the password for this computer account is not recognized. If
this message appears again, contact your system administrator.
As part of the troubleshooting process, you should always check the status of the account in Active Directory Users And Computers. A disabled account has a white circle with a down arrow. A deleted account will no longer be listed, and you won't be able to search for and find it in the directory. If a user was trying to connect to a resource on a remote computer, the computer to which they are connecting should have a related error or warning event in the event logs.
If the related computer account is disabled or deleted, you will be denied access to remote resources when connecting to those resources from this computer. As an example, if you are trying to access FileServer75 from CustServicePC83 you will be denied access if the computer account is disabled or deleted. The system event log on the remote computer (FileServer75) should log related NETLOGON errors specifically related to the computer account, such as the following with event ID 5722:
The session setup from the computer CORPPC18 failed to authenticate. The name(s) of
the account(s) referenced in the security database is CORPPC18$. The following error
occurred: Access is denied.
With Kerberos authentication, a computer's system time can affect authentication. If a computer's system time deviates outside the permitted norms set in group policy, the computer will fail authentication.
If you are still experiencing problems, check the computer's group membership and the container in which it is located in Active Directory. Computer accounts, like user accounts, can be made members of specific groups and are placed in a specific container in Active Directory. The group membership of a computer determines many permissions with regard to security and resource access. Changing a computer's group membership can significantly affect security and resource access. The container in which a computer is placed determines how Group Policy is applied to the computer. Moving a computer to a different container or OU can significantly affect the way policy settings are applied.
In this tutorial:
- Managing Users, Groups, and Computers
- Managing Domain User Accounts
- Configuring User Account Policies
- Enforcing Password Policy
- Configuring Account Lockout Policy
- Creating Password Settings Objects and Applying Secondary Settings
- Understanding User Account Capabilities, Privileges, and Rights
- Assigning User Rights
- Creating and Configuring Domain User Accounts
- Configuring Account Options
- Configuring Profile Options
- Troubleshooting User Accounts
- Implementing and Creating Preconfigured Profiles
- Configuring Local User Profiles
- Implementing Mandatory User Profiles
- Managing User Data
- Using Offline Files
- Configuring Offline Files on Clients
- Maintaining User Accounts
- Moving User Accounts
- Resetting a User's Domain Password
- Creating a User Account Password Backup
- Managing Groups
- Understanding the Scopes of Groups
- Creating a Group
- Creating group accounts at the command line
- Modifying Groups
- Managing Computer Accounts
- Moving a Computer Account
- Configuring Properties of Computer Accounts
- Troubleshooting Computer Accounts