MSEndpointMgr

Repair a broken trust relationship between a workstation and the domain

I was attending the SCUG Sweden meeting at Microsoft offices in Stockholm on the 8-9 of October. During the second day, one of the session was a copy of the Community Session from MMS 2018. This session is the attendee’s way to show each other’s tools they use in their daily work.

One of my demos was a script that repairs a trust relationship between a workstation and the primary domain.

This is based on the command Test-ComputerSecureChannel.

First up I created a Configuration Item that check if the relation is broken. The Discovery script is simple

On the compliance rule check for value True.

So now we can check if the computer has a broken trust to the domain. You can either have a remediation script or a ConfigMgr script to fix the issue.

The script looks like this:

if (!(Test-ComputerSecureChannel)) {
$Secret = 'UABAAHMAcwB3AG8AcgBkAA=='
$DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($Secret))
$Username = 'RADECK-DEMO\COMPUTER_PWDRESET'
$password = convertto-securestring -String $DecodedText -AsPlainText -Force
$ADRepairCred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
Test-ComputerSecureChannel -Repair -Credential $ADRepairCred
}

I know it’s not a secure way to store the password in the script, but it feels better than writing it in plain text.

To create the $Secret use this code:

$Text = 'P@ssword'
$Secret = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Text))
$Secret

It’s very important to only give account the rights it needs. To delegate the rights in Active Directory run this command after changing the OU and User:

dsacls.exe "OU=Radeck Computers,OU=Radeck,DC=demo,DC=radeck,DC=se" /G RADECK-DEMO\COMPUTER_PWDRESET":CA;Reset Password;Computer" /I:S

You should end up with something like this:

To up the security some more you can create a GPO that doesn’t allow that user to logon locally

I made a movie where I repair the trust with ConfigMgr Script:

You can find the script on my github:
Radeck-Public/ConfigMgr-Stuff at master · JRadeck/Radeck-Public · GitHub

And here you can download the CI:
https://1drv.ms/u/s!AhuAzOv7Sur5g_ASI0m_uf5-W8wt2w

So if you want to test this, just reset the computer account in the Active Directory

I want to end this blog by thanking the team behind msendpointmgr.com for the possibility to blog on this fine blog.

(13956)

Johnny Radeck

I’m a Technical Architect with Knowledge Factory. My primary focus is ConfigMgr and has been that way since it was named SMS, but I also spend a lot of time working with other related client management tools such as Active Directory, Group Policy, and more.

2 comments

  • Very nice and informative article. This excellent website truly has all of the info I wanted concerning this subject and didn’t know who to ask.

    • Does the script always end for you? I find sometimes it just keeps on running and I have to hit close and it works

Sponsors