I read this a while back and it is quite helpful to know beforehand. We had an instance of this at work a while ago where an OU of computers was accidentally deleted. You can recover the computer accounts easily enough but when they don’t recover with their machine password it still doesn’t help. This walk-through shows you how to set it up so the machine password is saved when the account is tomb-stoned and then restoring is a breeze. If there is a next time, we’ll be ready!
http://edmckinzie.spaces.live.com/blog/cns!687C72A5909E4230!232.entry
was i the menace that produced this topic?
Nope! 🙂
Don’t worry, this one had nothing to do with you.
Breezing through because I’m checking on something not related to this article, it strikes me–from many years ago–that you could always reset the machine account password using “netdom”. For example, http://support.microsoft.com/kb/260575 (How To Use Netdom.exe to Reset Machine Account Passwords…). From the article: “The following procedure describes how to use the netdom command to reset a machine account password. This procedure is most commonly used on domain controllers, but also applies to any Windows machine account.”
I realize the KB article is for 2000 Server, but I suspect the functionality still exists in 2003 Server (which I’m running at the moment, and by default presents netdom.exe for use) and 2008 Server & 2008 Server R2, both of which I also just verified to still offer the command. So, while your mileage may vary, FYI.
Hi Kirk,
I’m not sure about the “netdom” command but in ADUC there is an option to reset the computer password. I did try that in the instance that I had and it did not work. I assume this was because the computer did not sync the new password with the DC for whatever reason. I have tested the method in this article and it does work after changing the setting mentioned.
Aha; I believe ‘netdom’ is intended to be run at the affected computer (along with domain admin credentials presented to the DC -from- the client), which then resynchronizes the DC / but it’s been a while since I’ve had to use that particular feature.
In an amusing coincidence, immediately after posting I got a phone call to join a detached computer to an OU on a 2008 domain. In this case, I had no trouble joining to the domain (and in the correct OU, since the computer account was there first), but…variables: we explicitly joined to the “near” DC (i.e., not over VPN’s) so we avoided replication timing issues and I didn’t perfectly match your description above since mine was disjoined first. Since detail & circumstances tend to be everything in IT, that probably counts as cheating in my case 🙂
So, it strikes me that the number of variables we could discuss might cloud the original solution provided by your article (which I wouldn’t want to do, haha) so I think I will let it be “this is good to know” :). Thanks for the writeup; I’ve been in tech for a long time, and I appreciated this.
Yes, there are many variables. I am also still on a Server 2003 AD while you are most recently using Server 2008. I’ve heard of an “AD Recycle Bin” of sorts so I would not be surprised if they improved recovery of objects like this. Glad to hear it worked and your comment could very well be useful to someone else who comes across this page so I appreciate you taking the time to write it!
“For example, http://support.microsoft.com/kb/260575 (How To Use Netdom.exe to Reset Machine Account Passwords…). From the article: “The following procedure describes how to use the netdom command to reset a machine account password. This procedure is most commonly used on domain controllers, but also applies to any Windows machine account.”
Can about it more?
Yes, Kirk mentioned that as well. If that works for you then by all means it seems easier. And something that can be done without preparation. In my case that did not work.
ADRestore.exe is excellent, and easy to use. it should restore the Computer Account deleted without the need of a system state backup.
Yes, ADRestore is the program I used to restore the account. However, if you haven’t followed the steps above previously it will not work for computer accounts.