Computer account is automatically disabled

By | March 10, 2013

When disjoin a computer from the domain the computer account is automatically “Disabled”, we have to delete from the domain before rejoin the same computer back the domain, computer account will only be disabled if you use an account with sufficient permission to remove this computer from the domain (credentials of a user that has “Read and write Account Restrictions’ on the computer object) if you use a local admin account or the credentials of a non privilege, computer will be disjoin from the domain but will not be disabled

You can use repadmin/showmeta command to check the computer account meta, from the useraccountcontrol attribute you can tell which DC disabled the account and at what time the account was disabled.  Then you can check corresponding DC and search the security logs for event ID 629 or 646, You will notice the user that disabled the account was the same one used disjoin a computer from the domain If you rejoin the same computer back the domain, then the account should be re-enabled, if the user has the     following rights to the computer object:

Validated write to DNS host name
Reset Password
Validated write to service principal name
Read and write Account Restrictions

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin
Category: AD

Leave a Reply

Your email address will not be published. Required fields are marked *