Resetting the secure channel for a computer in a domain

Every now and then a computer will lose it’s security association with the domain controller.

This happens a lot when you use virtual machines and snapshots.

You can fix this in a number of ways.

The manual way is to reset the computer account in Active Directory Users and Computers.

Join a workgroup then rejoin the domain.

A better way is to use DSMOD

dsmod computer “cn=W8WS1,ou=test,ou=testdomain,ou=com” -reset

then restart the computer.

Another good way is to use nltest

nltest /server:W8WS01 /sc_reset:testdomain\dc01

This has the advantage of not needing to restart the computer.

And finally with PowerShell you can use:

Test-ComputerSecureChannel -Repair

This also does not require a restart.

creating a bunch of test users using PowerShell

There are a number of ways to create test users using automation

in this example I am using a for construct using PowerShell

 

$nuser = “exampleUser”

for($i=1; $i -le 10; $i++){
$pfuser = “$nuser” + “$i”
New-ADUser -Name:”$pfuser” `
-Path:”OU=test,DC=myexample,DC=com” `
-SamAccountName:”$pfuser” -Type:”user”
}

 

You can also use excel and autocomplete to achieve the same thing.

 

 

 

Enabling Active Directory Recycle bin

From PowerShell the command is:

Enable-ADOptionalFeature Identity CN=Recycle Bin Feature,CN=Optional Features,CN=Directory  Service,CN=Windows NT,CN=Services,CN=Configuration,DC=nuggetlab,DC=com Scope ForestOrConfigurationSet Target nuggetlab.com 

This task can be done much easier using the Active Directory Administration Center

adac

Go into Active directory administrative Center right click on the domain and select enable recycle bin

And OK to confirm that you want to perform this action as it can not be undone.

 

Offline Domain join

First you need to provision a blob file to connect a particular machine.
You need to use a seperate blob file for each machine that you want to join offline.

djoin /provision /domain exampledomain.com /machine Win8example01 /savefile c:\folder\blob.txt

Then you need to sneaker net the blob file to the target computer

and on the client computer

djoin /requestODJ /loadfile c:\folder\blob.txt /windowspath %SystemRoot% /localOS

reboot the computer and it will join the domain.

Changing firewall profiles with PowerShell

You can change witch profiles are active with:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

This turns all of the profiles on and

Set-NetFirewallProfile -Profile Domain -enabled false

Turns the Domain Profile off

Set-NetFirewallProfile -Profile Domain,Public,Private -enabled false

is a good way to disable the firewall. You might want to do this to test if firewall is the cause of your problems.

It is always a good practice to keep the firewall as closed as possible.

 

Adding a user to a local group

The GUI way

Manage

Right click on My Computer

Click Manage

or type compmgmt.msc in start menu.

compmgmt

 

from computer management select local users and groups

select users

find the user you want to add to a group and select properties

Select the Member Of tab click Add and select the group you want to add them to.

addgroup

A quicker and batch scriptable way of doing this is

net localgroup GROUPNAME /add paul

The batch script adds a user called itadmin adds it to the Administrators group and removes it from the users local group all in a fraction of the time it would take using the GUI.

net user itadmin P@ssw0rd /add /fullname:itadmin /expires:NEVER /passwordchg:no                        /usercomment:”Administrator account”

net localgroup administrators itadmin /add

net localgroup users itadmin /delete

.

Joining a computer to a domain

The GUI way

my pc properties

Right click on My Computer or This PC and click properties

computerName

Select the Computer Name tab and Click change

domainName

Click on the Domain radio button and enter either the domain name press Ok

Enter your domain administrative credentials and press ok to reboot.

 

Using PowerShell

Add-Computer -DomainName Domain01 -Restart

Using Netdom

netdom join %computername% /domain:domainname.com /userd:Administrator /passwordd: /reboot:0

 

Renaming a computer

The GUI way

Right click on My Computer or This PC click properties

my pc properties

Select the computer name tab and select change

computerName

Then rename the computer press Ok Ok again and reboot computer

rename computer

A faster way if you have PowerShell 3 is

Rename-Computer -NewName Name -restart

or you can use this netdom command if the computer is domain connected and you don’t want to use PowerShell

netdom renamecomputer %computername% /newname:Newcomputer1 /userd:administrator /passwordd /reboot:0