Can't change password if force to change at next log on


We are having a very strange issue in our domain which is a mixed of Windows 2008R2 and Windows 2012R2 domain controllers.  Basically, if the user does a CRTL + ALT + Del and tries to change the password they get this error:

The security database on the server does not have a computer account for this workstation trust relationship.

This is only happening on a handful of computers (Windows 7), on one of them I tried this today:

1. Remove it from the domain
2. Deleted it from Active Directory
3. Rejoined it to the domain
4. Had user tried to change his password and got the same error listed above.

He is able to change his password on a newly imaged laptop...the logs on both the workstation and the DCs aren't giving us any indication of issues.

I am wondering if anyone has ran into this issue before?

Thank you.
Marco RojasAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Do you see any errors in the event logs on the PC's having the issue?  Are they pointing to the correct internal DNS servers for the domain?
Will SzymkowskiSenior Solution ArchitectCommented:
First off if there is a trust relationship issue the correct way to reset the trust is to use the Netdom reset command. Example below

netdom reset <machinename> /Server:dc1 /UserO:administrator /PasswordO: *

Open in new window

The above command will reset the secure channel for a machine that has lost its trust.

However you said that you have both 2008R2 and 2012 DC's in your environment. With Windows Server 2012 as Domain Controllers, you HAVE TO make sure that you are properly syspreping your machines Server 2012 is very sensitive to ensure that your have properly Syspreped your machines before bring them into the domain.

I am almost certain that your issue has something to do with SID/GUID issues on the domain related to unproperly syspreped windows images.

You need to use the sysprep /generalize to ensure that it is syspreped properly.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Marco RojasAuthor Commented:
rgorman, I see a few schannel events in the system logs but nothing else that would indicate any issues.

Will, we ran a few commands to test the secure channel and they came back as good and I think that we even tried to reset it.  I will try your command next week when we get access to a laptop having that issue.

I will ask the desktop folks how they sysprep their images.

Thank you for the prompt responses guys!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.