How do I reset a computer’s domain account?

Normally, computers' domain accounts are self-maintaining. Computers authenticate to the domain automatically upon startup, and periodically change their domain passwords without your intervention. However, it is possible for a computer's domain account to have problems, which can require you to reset the account.

Resetting a computer's domain account will break the link between the computer and the domain. The computer will have to be joined to a workgroup (thus removing it from the domain), then re-joined to the domain.

Resetting the Account

You can reset a computer account by using either the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in or a command-line utility. To use Active Directory Users and Computers, open Active Directory Users and Computers, and locate the computer's account. By default, Active Directory places computer accounts in the Computers container. However, your organization might place computer accounts in another organizational unit (OU). Right-click the computer account, and select Reset from the context menu.

You can't perform this procedure with a domain controller. Generally, there's no need, as the computer can always contact itself to reset its own password. However, if a domain controller's Active Directory account becomes unsynchronized, you'll have to use DCPromo to remove and reinstall Active Directory.

To use a command-line utility, run

dsmod computer computername –reset

replacing computername with the name of the computer you want to reset.

You must be a Domain Administrator, Enterprise Administrator, or have the appropriate delegated permissions to perform these tasks.

Rejoining the Domain

Once its account is reset, a computer will be unable to authenticate to the domain. Essentially, you've changed the computer's password and have no way to tell it what the new password is. The only solution is for you to remove the computer from the domain, then rejoin it to the domain.

A side effect of the computer being unable to authenticate to the domain is that no users will be able to log on to the computer by using domain credentials.

To rejoin the domain on a Windows XP Professional computer (the process for Windows 2000— Win2K—is similar), right-click My Computer, and select Properties from the Context menu. On the Computer Name tab, click Change. Select Workgroup, and click OK to close all dialog boxes. You will need to restart the computer. Return to the Computer Name tab after restarting, and click Change again. Select Domain, provide the appropriate domain name, and click OK. You will need to provide the appropriate user credentials to add the computer back into the domain. After completing these steps, the computer should be able to authenticate to the domain. Restart the computer and ensure that the domain logon problem is resolved.