Resetting Computer Account Passwords
Microsoft® Windows® 2000 Scripting Guide
Each computer account has a password that must match a password stored in Active Directory. If the two passwords do not match, Active Directory cannot authenticate the computer. If this occurs, the computer account password must be reset by a system administrator. Resetting the password returns both the password stored on the computer and the password stored in Active Directory to the default value, and enables the computer to be authenticated.
When a computer account is created, the passwords for both the account and the secure channel (a special communication channel used to communicate with a domain controller) are set to %computername%$. For example, a new computer named Server7 would be given an initial password of Server7$. After the computer has joined the domain, a unique password is generated to replace %computername%$. Thereafter, a new password for both the computer account and the secure channel is automatically generated every 30 days.
Although these passwords generally match, certain situations can cause them to differ. For example, Active Directory replication problems might cause one of the passwords to be changed but not the other one. Or, a computer might be offline for an extended period of time. During that time, the Active Directory password might have been changed; with the computer offline, however, the local password could not have been changed accordingly. In either case, Active Directory would be unable to authenticate the computer and the user unable to log on to the network. Instead, a user attempting to log on would be presented with the following error message:
The session setup from the computer DomainMember failed to authenticate. The name of the account referenced in the security database is DomainMember$. The following error occurred: Access is denied.
If this occurs, a system administrator must reset the password for the computer account, which can be done using the ADSI IADsUser interface.
Listing 9.9 contains a script that resets a computer account password. To carry out this task, the script must perform the following steps:
Use a GetObject call to bind to the computer account in Active Directory.
Use the SetPassword method to reset the password to the original computer password: the computer name, with a dollar sign ($) appended to it.
Listing 9.9 Resetting a Computer Account Password
1 2 3
Set objComputer = GetObject _ ("LDAP://CN=atl-dc-01,CN=Computers,DC=fabrikam,DC=COM") objComputer.SetPassword "atl-dc-01$"