question

LukeHarrington-0028 avatar image
1 Vote"
LukeHarrington-0028 asked FanFan-MSFT commented

Disabled AD Account took a machine off the domain

I recently run a powershell script to disable 70 user accounts. Script went well, accounts were disabled, happy days.

Turns out that in result of me running this, when users are logging in they are getting a "Trust Relation Domain Error" (machine has fallen off the domain). Mobile deivce has been wiped.

Has anyone seen this before?

azure-active-directorywindows-active-directory
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If there are any updates, welcome to share here!
Please feel free to let us know if you have any questions further.

Best Regards,

0 Votes 0 ·

Hi,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,

To know the question more clearly, please confirm the following information:
1, Where did you run the script? On the DCs or the workstations?
2, Was the issue happening on all workstations or the specific one?
3, Which user did you used to logon to the machine? Did you try other users?
Thanks for your time!

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LukeHarrington-0028 avatar image
0 Votes"
LukeHarrington-0028 answered FanFan-MSFT commented

Hello,

Thanks for coming back to me,

I run the script on my workstation.
The issue was happening on the users machines, so these would be workstations also.
The issue was intermittent. A mix of user's machines falling off the domain and others were just disabled fine.
I was logged on as a standard user account. Run Powershell with elevated permissions(admin account), in which i run the script.

Kind Regards,

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Based on my understanding, on the workstation, you run a script to disable user accounts (not computer accounts) on one workstation.
After this, some computers lost the trust relationship from domain, right?

Did you check that all the are DCs working well?

Dcdiag /v >c:\dcdiag1.log
Repadmin /showrepl >C:\repl.txt
Repadmin /showreps * 

Best Regards,

0 Votes 0 ·
LukeHarrington-0028 avatar image
0 Votes"
LukeHarrington-0028 answered FanFan-MSFT commented

That is correct, the machines dropped off the domain and users recieved the "trust relationship betweek the host and machine cannot be verified" (somethign like this...)

All DC's at the time were all in order, not had anyone else report an issue, only people affected are the ones who were disabled.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Only the users who are disabled logon to the computers will have the issue, and users who are not disabled can logon to the computers successfully, right?
You may try to logon to the machine, and run the powershell command:
Test-ComputerSecureChannel


Best Regards,

0 Votes 0 ·