When a domain user can’t log into their workstation and receives this error:
…it’s often called “falling off the domain“, an irritating problem which elicits groans from IT professionals everywhere. The most commonly-known solution is to remove the computer from the domain, reboot, put back onto the domain, and reboot again. This takes a good 20 to 30 minutes of valuable time and productivity, and that’s assuming there aren’t any other issues.
Let’s get one thing straight: the phrase “falling off the domain” is inaccurate. Lesson time: This error doesn’t mean the computer has left the domain at all – rather, the culprit is the machine password between the computer and active directory (AD). Each computer account in AD has it’s own private password unseen to the user which is used to authenticate the computer itself with a domain controller (DC).
By default (although changeable by policy), the machine password is set to change every 30 days. If something occurs to interfere with the successful synchronization of the password between the computer and domain controller, this may lead to a situation where the computer is trying to authenticate with the DC using what it thinks to be the current password while the DC views it as out-of-date. When this happens, presto – you get the above error.
Alright, enough lesson time. How we fix it? Do we have to go through the pain of removing and re-adding to the domain every time this happens? Thankfully, no. There are very simple and quick ways to fix this error within the span of a minutes which – in my experience – very few IT professionals seem to know about. Let’s go over the fixes for the two most common Windows OS’s seen in the workplace, Windows 10 and Windows 7:
- You need to be able to log on with a locally-cached Admin account.
- You need to either be on the domain network, or on a VPN connecting to the network.
- Run Powershell as an Administrator.
- Enter this command: $credential = Get-Credential
- At the login prompt, enter domain admin credentials using domain/username format.
- Back in Powershell, enter this command: Reset-ComputerMachinePassword -Credential $credential
- Done! If the command is accepted with no error, then the machine password should now be updated between the computer and the DC. Log out and have the user log back in to test.
WINDOWS 7 – the fix is not quite as breezy as with Windows 10, but still can save time over removing from the domain entirely.
- If not done previously, access a DC and copy the following two files to the target computer – you can use OneDrive, network shares, whatever gets the job done:
- Copy the two above files to the exact same locations on the target computer.
- Open an Elevated Command Prompt.
- Enter this command: netdom.exe resetpwd /server:domaincontroller /userD:ivan /passwordD *
- Enter admin credentials when prompted.
- Reboot the machine and test login. If successful, the user will logged in with no problems.
If you’ve ever wondered how you can squeeze a few more minutes out of the day to focus on more pressing tasks and projects, this is one solid way to reduce the effort put into the mundane minutiae of IT support. Give it a try next time!