Computer account is automatically disabled

By | March 10, 2013

When disjoin a computer from the domain the computer account is automatically “Disabled”, we have to delete from the domain before rejoin the same computer back the domain, computer account will only be disabled if you use an account with sufficient permission to remove this computer from the domain (credentials of a user that has “Read and write Account Restrictions’ on the computer object) if you use a local admin account or the credentials of a non privilege, computer will be disjoin from the domain but will not be disabled

You can use repadmin/showmeta command to check the computer account meta, from the useraccountcontrol attribute you can tell which DC disabled the account and at what time the account was disabled.  Then you can check corresponding DC and search the security logs for event ID 629 or 646, You will notice the user that disabled the account was the same one used disjoin a computer from the domain If you rejoin the same computer back the domain, then the account should be re-enabled, if the user has the     following rights to the computer object:

Validated write to DNS host name
Reset Password
Validated write to service principal name
Read and write Account Restrictions

Category: AD

One thought on “Computer account is automatically disabled

  1. lonely

    Ӏt’s truly a great and helpful ρiece of info. I am happy that you just shared this useful informatіon with us.
    Please keep us informed like this. Thɑnk
    you for sharing.


Leave a Reply

Your email address will not be published. Required fields are marked *