How to prevent "The Trust relationship between this workstation and the primary domain failed"

I got a call from a user who is not able to login to Domain. The error message was " The Trust relationship between this workstation and the primary domain failed".
I tried local Administrator and other domain users and got the following message" Account is disabled". I then login as Domain administrator and I was able to login and I noticed that the local administrator account is indeed was disabled. I then enabled it  and before I remove this Laptop from Domain and rejoint to domain I was woundering if this is the solution and if someone knows why this had happened.

Thank you AsgharE
Who is Participating?
Hypercat (Deb)Commented:
At this point, you really need to remove that workstation from the domain, delete the AD computer account, and then rejoin the domain.  That should resolve these issues.  The reason you see that "bunch of numbers" instead of the name of the account is that you are seeing the local SID of the domain administrator account.  Because of the problem with the computer account, it cannot properly read the attributes of the domain admin account and therefore is just displaying the local SID.  Once you rejoin it to the domain properly, you will one again see the domain administrator account name there.
Hypercat (Deb)Commented:
That error message indicates a problem with the computer's domain account. It's hard to say positively, but I don't think that disabling the local admin account would cause that problem, at least I have never heard of that being the case.  I would guess that the reason you were able to get in with the domain admin account is that that account was the only other account that had admin privileges on the local workstation.
Simply having the local Administrator account of the machine disabled should not affect other local or domain account from logon on the the machine or logon to the domain from the machine.
The message probably was due to other thing also disabled such as the computer account.

As far as why the local Administrator account was disabled it could be from someone manually disabled it or from GPO policy. If from GPO, then you could have more machine with the local Administrator disabled. Whcih you can verify from other workstations.

btw, If you rejoin the domain the computer account in the Active will be active again. But again, if there is a GPO still active to disable the Administrator account, you would see thisAdministrator account gets disabled again on next GPO refresh.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

AsgharEAuthor Commented:
There was another local user with administrator privilage that I could not login as that user either with the same issue as local admininstratoe (was disabled).
I also noticed that when I checked the property of local administrators group "Member of" it shows bounch of numbers rather domain\administrator as a member, usually in the past I remove the computer from domain and re jointed to resolve the issue but never had seen local administrator and local users account to be disabled. btw, there is no GPO therefore it was not impacted by GPO. But at the domain event viewer there has been alot of login failiur regarding this workstation last several days but users had no problem login till today..
AsgharEAuthor Commented:
hypercat, I almost did what you have recommended except did not delete the computer account from AD before re joining the computer to Domain. (I just got your comment).
Surprisingly to my expectation when I added the domain user to local administrator group and login as the user to domain,  all the privious profile was accessible, I mean that I did not even had to recreate Outlook profile.
I lunch outlook icon and the user got to the inbox, where in the past the windows xp recreate another profile like user01.domain.
I will whatch this laptop and logs on the Domain and DNS next week to see if I have to repeat the process and take your complete and clean steps.
Thank you.
Hypercat (Deb)Commented:
Glad to help - I hope it works consistently for you.  I recommended deleting the computer account because I've found in some cases that just unjoining and rejoining the domain with the same AD account does not quite do the trick.  However, it sounds like it worked in your case, so that's even better.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.