How to establish trust between a computer and a primary domain

    Hello Dear readers of Habrahabr! In the vastness of the Internet, each of us can find many separate articles about not passing computer authentication through a domain controller, more precisely, a computer connected to a domain loses its connection with it.

    So, let's start studying this problem.

    Many IT engineers who work in large and small companies have computers with the operating system Windows 7, 8.1, etc. and all of these computers are connected to a domain network (DC).

    This problem occurs because the Kerberos network protocol cannot synchronize and authenticate with the computer (The trust relationship between this workstation and the primary domain failed) that is connected to the domain. Then we can see such an error (see photo below).

    image

    After that, we look for a third-party program, download it, create a bootable USB flash drive and a local admin, then log in through it and exit the domain, add the computer to Workgroup and then reconnect this computer to the domain.

    Using Windows Batch scripting, I want to create a bat file and automate the process of creating and adding a local admin. The only thing we will need is to create it after creating this file.

    We open our text editor, enter the command that is shown below.

    net user admin Ww123456 /add /active:yes
    WMIC USERACCOUNT WHERE "Name='admin'" SET PasswordExpires=FALSE
    net localgroup Administrators admin /add 
    net localgroup Users admin /delete 
    netsh advfirewall set allprofiles state off

    We will go through all the commands on points to eliminate obscure points.

    • net user admin (instead of the word admin you can add any name that suits you, the default is administrator, in my case it’s admin).
    Next, we see the password that I set Ww123456 there (you can put any password that is memorable for you).

    After that we see / add / active: yes –add and activate: YES

    • WMIC USERACCOUNT WHERE “Name = 'admin'” SET PasswordExpires = FALSE - this command means that the admin that is being added had a permanent password without expiration (see picture below).

    image

    • The third and fourth points are interconnected by the fact that by default, when a local admin is created, the Member Of item is Users (see photo). We do not need it (Users), because we are creating a full administrator for our OS. Therefore, the fourth command - net localgroup Users admin / delete - removes Users, and the previous command - net localgroup Administrators admin / add, adds an administrator (see photo).

    image

    image

    • The last command is netsh advfirewall set allprofiles state off, which disables the Windows-a firewall.
    Sometimes, to install a program or give some command in Windows-e, you need to disable firewall (After running the script, you can enter the command-netsh advfirewall set allprofiles state on and turn it on again. My default value is off, since I use a third-party firewall. This moment is at the discretion of everyone personally).

    Next, go to our notepad, click File, save as ... (save as ...) enter the name of our script (in my case: localadmin), then put a dot (.) And write the format of the bat script. We select the place where to save this record and click save. More details are shown in the picture.

    image

    It turns out here is a script (see photo).

    image

    At startup, this script must be opened as administrator:

    • Press the right mouse button and Run as administrator (see photo).

    image

    After running the script, you should see this window (see photo).

    image

    If for some reason an error occurs, then in 90% of such cases this is due to the fact that your image from which you installed Windows is unlicensed, any repack, etc. Download and use licensed and proven software.

    After successfully adding a local admin, you can run this script on all working machines in your office where Windows is installed.

    If you ever get such an error: The trust relationship between this workstation and the primary domain failed- you only need to make the switch user and where to write the login. \ Admin (remember! At the beginning, a dot is put before the slash!), Then below enter the password that you added to your script (in my case: Ww123456). After that, you go to a working OS.

    It remains to remove our computer from the domain and add it to Workgroup. Instead of Workgroup, we enter any letter (see photo).

    image

    Next, the domain administrator password is entered and the computer asks us to reboot.
    After the reboot, we again go under our local admin and then we add the computer to our domain. The system once again requires a reboot and Voila! Our User can again connect to the domain without any problems!

    PS - This system also works for the server side of Windows, however if you write such a script for servers after disabling the firewall, you will need to turn it on again (before - netsh advfirewall set allprofiles state off, after netsh advfirewall set allprofiles state on).

    Thank you for attention!

    Also popular now: