Filters:

  • Technologies

  • Instructors

  • How to Reset a Windows Client Secure Channel Password – Video

    See our class schedule for complete Course Schedule Training.

    Classes are held in Phoenix, AZ and can be attended online from anywhere in the world with RemoteLive™.

    Instructor: Rick Trader


    How to Reset a Windows Client Secure Channel Password

    Video Transcript:

    I’m sure you’ve ran into a situation where a user is attempting to log into a machine but they’re getting prompted that there’s no secure password or a secure channel for the client computer to the Domain Controller? Or a user appears to not be getting their Group Policy Settings or their New Group Membership.

    What has happened is the Secure Channel Password between the client computer and your Domain Controller has become a mismatch. It could possibly be that a user has logged into the machine and we changed our computer password yesterday with Active Directory. Therefore, the computer changed the password, then the user gets up and as a result we had to revert the computer back to an earlier backup that was prior to yesterday. Or possibly, they just did a System Restore Point and restored back to that point that was earlier then when we actually negotiated the new password, which would have occurred yesterday.

    So what are some of the symptoms?

    First, if I attempt to login to this Windows 7 computer as “Rick T”, as a member of the Domain, and Rick has never logged into this machine before, Rick will get this error.

    001-Resetting-a-Windows-Client-Secure-Channel-Password

    “The trust relationship between this workstation and the primary Domain Controller has failed. That’s the primary symptom of your Secure Channel Password has failed.

    If a user has logged onto this machine before, they’ll be able to log on to this machine with their cached credentials. In this case the only person that’s logged into this machine is the Administrator Account.

    A couple of things I want to show you is the way we can verify it was the Secure Channel Password that causes our problem.

    I’m going to bring up the Event Viewer.

    002-event-viewer-Resetting-a-Windows-Client-Secure-Channel-Password

    What we specifically want to look at is our Systems Log.

    003-system-event-viewer-Resetting-a-Windows-Client-Secure-Channel-Password

    Notice I got a Winlogon event. It says, “Your notification was unable to login,” in other words it wouldn’t logon.

    If I scroll down, I will see that there was a Group Policy error, “The process Group Policy failed due to the lack of network connectivity of the Domain Controller.”

    004-GroupPolicy-error-viewer-Resetting-a-Windows-Client-Secure-Channel-Password

    If I scroll on down further, my DNS Client failed to connect.

    005-GroupPolicy-error-viewer-Resetting-a-Windows-Client-Secure-Channel-Password

    The other big one I’m looking for is the NETLOGON service. (This would have been when the machine restarted during this last restart).

    006-NETLOGON-event-viewer-Resetting-a-Windows-Client-Secure-Channel-Password

    Notice it states, “This computer cannot authenticate with the Windows domain.” and therefore this computer might be denied log on requests. This is a pure symptom of the Secure Channel Password.

    One of the things that a lot of users will do in their environments, is go into Active Directory and one of the first things they would do inside Active Directory user Computers, (which is actually a bad thing) and delete the computer account. Then they would go out to the computer, un‑join the computer from the Domain, re‑join the computer to the Domain, and they would get a new Computer Account.

    You may also like:  How to get Wireshark to work with Microsoft Windows Server 2012 R2

    The result of doing that would be the actual computer now gets a new SID.

    So if that computer was in any group, giving it permission, a privilege, a right, anywhere inside your organization, it just now lost it.

    Let me show you the proper way for resetting this computers password.

    Go into Active Directory users and Computers. This can be accomplished through the graphical Active Directory users or Computer or through the Active Directory Administer Center.

    We could also use the Netdom.exe utility out at the machine if the Active Directory Tools have been installed.

    We can also use PowerShell out at the machine if the Active Directory Tools have been installed and the Nltest utility.

    Anyone of these utilities will help us reset that computer password.

    I’m going to do it through the graphical interface. This would be the quickest way. This would allow the user then to be out at the machine and be able to reset their password.

    Go into Active Directory Users and Computers.

    007-ADUandC-Resetting-a-Windows-Client-Secure-Channel-Password

    The computer I used earlier is a Windows 7 box. It doesn’t matter if it’s a Windows XP, Vista, Windows 7, Windows 8 or Windows 8.1 box. All of them would be done exactly the same way as I’m doing here.

    Here’s my Windows 7 box.

    008-Resetting-a-Windows-Client-Secure-Channel-Password

    I’m going to secondary click on it, and I’m going to choose the option to Reset the Account.

    009-Resetting-a-Windows-Client-Secure-Channel-Password

    What this does is it tells Active Directory that this computer and Active Directory have lost the Secure Channel Negotiation of the Secure Channel Password.

    I click reset the account and then select yes.

    Next it says that it was successfully reset.

    010-Resetting-a-Windows-Client-Secure-Channel-Password

    I’ll come back to my Windows 7 box.

    Now instead of un‑joining and re‑joining it to the Domain, I’m going to bring up My Computer Properties.

    011-Resetting-a-Windows-Client-Secure-Channel-Password

    Specifically the Computer Name Tab. I’m going to come down to Change settings.

    012-change-settings-Resetting-a-Windows-Client-Secure-Channel-Password

    Notice the computer thinks it’s already remembered the Domain. I’m not going to actually take it out of the Domain.

    I’m going to use this option, Network ID.

    013-Network-ID-Resetting-a-Windows-Client-Secure-Channel-Password

    Instead of using Change, I’m going to use Network ID. So I click Network ID. This computer is part of a business network, not a home network.

    014-Network-ID-Resetting-a-Windows-Client-Secure-Channel-Password

    It is part of a Domain.

    015-Network-ID-Resetting-a-Windows-Client-Secure-Channel-Password

    Notice it says that I must have a user name and password inside the Domain.

    016-Network-ID-Resetting-a-Windows-Client-Secure-Channel-Password

    I also might want to know what this computer name is and what my Domain Name is.

    I do not need to be an administrator in the Domain. What I do need to be is a Local Administrator of this box. It says I’m logged in as an Administrator.

    017-Resetting-a-Windows-Client-Secure-Channel-Password

    I’ll then get a prompt that says, “This computer account already exists in Active Directory. Would you like to go ahead and continue using this account?”

    You may also like:  Microsoft announces retirement of the Windows Server 2012 R2 MCSE: Desktop Infrastructure Certification.

    018-Resetting-a-Windows-Client-Secure-Channel-Password

    If I say, “Yes,” my SID will not change, my GUID will not change, and everything will go back to the way it was before we reset our computer.

    I’ll click Yes.

    It’s now telling Active Directory that this computer has lost its Secure Channel Password. I’ll get asked if I want to add the user that I’m logged in with to my local administrators group. I’m not going to do that, because this account happens to be a member of the Domains admin group.

    019-Resetting-a-Windows-Client-Secure-Channel-Password

    I hit finish > OK and then I’ll restart the computer.

    Now when this computer restarts and comes back up, Active Directory on this computer will negotiate a new password. That password will be good for 30 days, just like all computers have been since Windows 2000.

    I’ll log back in as Rick T to show you that the password has been negotiated.

    I’ll come back to the Domain Controller.

    020-Resetting-a-Windows-Client-Secure-Channel-Password

    Next I’ll show you the Nltest utility and the Netdom.exe utility in PowerShell. If you do a [Netdom /?], you’ll see there’s an option to VERIFY the TRUST relationship. Then there’s also the RESET.

    021-PowerShell-resetting-a-Windows-Client-Secure-Channel-Password

    The reset password is what resets the computer password.

    So I’ll use [netdom resetpwd /?]

    022-PowerShell-resetting-a-Windows-Client-Secure-Channel-Password

    It says “What’s the name of the Domain Controller, user ID and password?” Then that will send off the password.

    If I’m out at the actual Domain Controller and I run netdom it’s going to ask me what the name of the computer is that I want to reset the password on. So I want to do this out at the actual client machine. This will only require one restart.

    If I go into PowerShell and import-module activedirectory.

    023-PowerShell-resetting-a-Windows-Client-Secure-Channel-Password

    Then I run [get-help channel]

    024-PowerShell-resetting-a-Windows-Client-Secure-Channel-Password

    Notice I’ve got the option to Test my computer Secure Channel, get the Secure Channel Data, Update Secure Channel… This is the one we want to use: Update-SubMultichannelConnection. This will let us reset our Secure Channel Connection. The test Secure Channel will also allow us to test it and reset it if it’s broken.

    I’ll login to my Windows7 box, I can actually log in as Rick T from the Domain.

    025-PowerShell-resetting-a-Windows-Client-Secure-Channel-Password

    Back to my Windows 7 box:

    As you see the Secure Channel’s now been reset. Now the user will get the Group Policy Settings. They’ll also get their Group Member Sub‑Settings.

    That’s how simple it is to reset a Secure Channel Password in the proper way. Again the improper way would have been to delete the computer account from Active Directory, un‑join and re‑join the computer to the Domain.

    Until next time – ride safe.
    Rick Trader

    Windows Server Instructor – Interface Technical Training

    Phoenix, AZ

    See what people are saying...

    1. Joseph Martin

      Hey Rick,
      i was watching your course on LinkedIn and you mentioned interfacett and you also spoke about this issue. This is great man, i love to do things the right way. Your course on active directory is the best, at least for me it was. I have learned a lot. I would really appreciate it, if you could share with me the source of stuff like this or where i can get a better understanding of schannel and computer accounts; a book or video link will do.

    2. Joseph Martin

      Can any of this be done remotely? Say, using Invoke-Command in PowerShell?

    3. Kevin Dasilva

      Hey Rick,

      i was watching your course on LinkedIn and you mentioned interfacett and you also spoke about this issue. This is great man, i love to do things the right way. Your course on active directory is the best, at least for me it was. I have learned a lot. I would really appreciate it, if you could share with me the source of stuff like this or where i can get a better understanding of schannel and computer accounts; a book or video link will do.

    4. AmirArsalan

      Hi,Thanks so much for this amazing and simple solution for me.everythings looks good but i want do that for a remote machine via netdom,Can i?

    5. Koby Roberts

      Can any of this be done remotely? Say, using Invoke-Command in PowerShell?

    6. Pingback: – root@injetionsec:~# » Reset senha de administrator – Windows 7

    Share your thoughts...

    Please fill out the comment form below to post a reply.