Windows 10 Workstation Cannot Be Accessed via RDP with Other User Error
-
Local logins work (maybe cache?), and remote logins to the console work (e.g. MeshCentral), but if we attempt to connect via RDP to this Windows 10 workstation we get the error "Other User The Security Database on the server does not have a computer account for this workstation trust relationship."
The AD server is Windows Server 2019 Standard. Both systems are fully patched.
The user being tested in this case is the domain admin, the same one logged in on the domain controller.
-
In PowerShell...
PS C:\Users\administrator> Test-ComputerSecureChannel -Credential (Get-Credential) -Verbose VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "MrRebarVM1". False VERBOSE: The secure channel between the local computer and the domain ad.redacted.com is broken. PS C:\Users\administrator> Test-ComputerSecureChannel -Credential (Get-Credential) -Verbose -Repair VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "MrRebarVM1". Test-ComputerSecureChannel : Cannot find the computer account for the local computer in the domain ad.redacted.com. At line:1 char:1 + Test-ComputerSecureChannel -Credential (Get-Credential) -Verbose -Rep ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (MrRebarVM1:String) [Test-ComputerSecureChannel], InvalidOperationExce ption + FullyQualifiedErrorId : CannotFindMachineAccount,Microsoft.PowerShell.Commands.TestComputerSecureChannelCommand -
Okay, discovered that the computer does not have an account on the domain controller, at all. Yet the computer thinks that it is a member of the domain. Pretty fishy.
-
I would unjoin and rejoin to the domain. Be sure to reset the the password for local administrator before unjoining. I would also make sure the NIC is only looking at an internal DNS server for DNS. Not sure what happened with the computer account, but possibly it was deleted at some point.
-
@Fredtx said in Windows 10 Workstation Cannot Be Accessed via RDP with Other User Error:
I would unjoin and rejoin to the domain. Be sure to reset the the password for local administrator before unjoining. I would also make sure the NIC is only looking at an internal DNS server for DNS. Not sure what happened with the computer account, but possibly it was deleted at some point.
Yup, just did and it worked. We never had the local admin, but with our tools we can make a new one which we did, no issues
-
@scottalanmiller said in Windows 10 Workstation Cannot Be Accessed via RDP with Other User Error:
Okay, discovered that the computer does not have an account on the domain controller, at all. Yet the computer thinks that it is a member of the domain. Pretty fishy.
We would see this at the clinic where a computer (laptop) was taken home, or forgotten in a drawer and left unused for months. Policies, scripts or attrition, the computer would fall off the domain.
While it COULD be rejoined, I’d image it as a precaution…. And ‘lesson’ to the end user.
-
@scottalanmiller said in Windows 10 Workstation Cannot Be Accessed via RDP with Other User Error:
@Fredtx said in Windows 10 Workstation Cannot Be Accessed via RDP with Other User Error:
I would unjoin and rejoin to the domain. Be sure to reset the the password for local administrator before unjoining. I would also make sure the NIC is only looking at an internal DNS server for DNS. Not sure what happened with the computer account, but possibly it was deleted at some point.
Yup, just did and it worked. We never had the local admin, but with our tools we can make a new one which we did, no issues
Yup,.. fun ability. Did that with a pc or three,… kept the same CMD syntax for several computers… of course the remote agent has to work, be connected AND allow for CMD..
-
We find that if we rename the PC, then allow more than a day to go by before restarting, this can happen.
Also, if we rename a PC, then the user allows the PC to go into Lock mode (screen saver timeout with login required to return) they will encounter this upon wake up/re-logon.
In the above two cases a reboot usually resolves it, when it doesn't, we go in as local admin and disjoin then rejoin the domain to resolve it.
Also, in the above two cases, we did not lose the computer in active directory, so after the disjoin/rejoin you'd want to remove the orphan computer from AD.
There's an article online somewhere about why you should NOT disjoin and rejoin the domain in this case, but we have always done it this way and have never experienced ill effects.
