Overriding win/kerberos computer secure channel

mx flag

Is there a way to completely ignore/override/overrule establishing a secure channel? I'm trying to revert a VM snapshot to test something, and the domain controller is being obnoxious and not allowing the computer access.

I've tried a dozen ways and am pulling my hair out. Just want to say to the server: Trust this computer. I know what I am doing, I don't care. DO IT. This should be simple.

Everything I try runs into unknown error, security error, access denied, user/password incorrect, and so on. I'm local admin on the workstation, domain admin on the server, it doesn't matter. Permission denied, access denied, error, syntax error. Any solution on the internet is wrong or out of date. Microsoft has managed to create a situation where, apparently, reverting a domain member VM causes it to become inaccessible.

My requirements for a solution are as follows:

  • No reboots. If the machine reboots, what I'm trying to do gets ruined. So, it can't reboot. Period. So joining/rejoining the domain is right out.
  • Re-establish the secure channel.
  • No solutions that require me to go back in time. The machine password has already changed. Policies and registry settings that prevent the password from changing in the future are of no use.

All of these do not work.

  • How to Reset Active Directory Secure Channel If Broken no longer works for server 2019 or 2022.
  • Anything using WinRM. Fails with 0x80090322 on this host.
  • Reset-ComputerMachinePassword Access denied. As domain admin and as local user.
  • Test-ComputerSecureChannel -Repair -Credential mydomain\Administrator Access denied.
  • netdom reset /d:mydomain /s:serverhostname /uo:mydomain\Administrator /po:password myvm or netdom reset /d:mydomain /s:serverhostname /uo:mydomain\Administrator /po:password myvm Target account name incorrect. Documentation on the syntax of netdom is bad, spotty, out of date, and most online examples tend to not work with syntax errors (or not do what I want).
  • nltest /sc_reset:mydomain\serverhostname error 5, access denied.
cn flag
For anyone else - Obviously resetting the computer account is the way to go here. Additionally, performing this activity *will* disable the system in Active Directory until the computer account is reset, so this is not something that should be done in normal practice, and should only be done as part of a procedure that resets the computer account first.
mx flag

This is the only incantation that, at least for me, appears to work:

Reset-ComputerMachinePassword -Server -Credential\Administrator

Under the following details:

  • Assume it's case-sensitive,
  • Specify the domain twice (or windows will helpfully infer the local machine name as the missing domain).
  • Don't specify the password on the command line.
  • Don't try to use a saved credential.
  • Run the powershell as an administrator, even if logged in as an administrator.
  • Don't run it from the server, only from the local machine.
  • Disable windows firewall.
I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.