Link to home
Start Free TrialLog in
Avatar of Darren Crone
Darren CroneFlag for United States of America

asked on

Server Computer Account has been deleted in AD - How do I recreate if I can no longer login to the domain?

The most important server in my network (the one that has my Dispatching Database on it) computer account has been deleted from Active Directory Computers and Users. Since I now cannot login to the domain how can I unjoin (or whatever) the domain and then rejoin the domain? Or what is my best course of action?
Thanks in advance,
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

If you set it up, AD has a recycle bin.

If you didn't set up and enable the recycle bin, even domain joined machines have local (non-domain) admin accounts. If you don't have local admin accounts documented....things get dicey. Should be part of your disaster recovery plan....
You can use Domain Administrator to login to your computer. You've said computer account was deleted but I assume it wasn't domain admin.
You can log on as domain admin.
If domain admin account still exists on DC then login to DA Users and Computers and recreate user you've just lost.
Avatar of Darren Crone


Cliff, how do I check if there is an AD recycle bin? There probably isn't because I setup this server 10+ years ago. Tom, I didn't lose a user account, I lost the computer account ie. RSDISPATCH03 under computers listing in AD Users and Computers. Can I manually add a computer account in AD?
You can defintely add the machine to the domain again. You need to have domain join rights. Domain Admin account will work in this case. Actually any user can join upto 10 computers to a domain unless set otherwise.
So login to local profile and remove computer from domain.
Then login again ad add it again.

I assume you know local user and password.
Okay, how do I add the machine to the domain again? Using Active Directory Users and Computers?
Avatar of Tom Cieslik
Tom Cieslik
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
1. If the machine account has been deleted or corrupted, you cannot login as a domain admin. (as you have probably determined)
2. You need to know the local admin account credentials.
3. You cannot add a machine using ADUC, this needs to happen on the target box itself.
4. If you have lost the local account credentials, there are some utilities that may allow you to reset it. I have a link to one below. This is a little risky and can be complex, particularly if your machine has an unsupported RAID card.
5. It is a trivial matter to reset local account passwords on machines that you cna still log onto as a network admin. Go around and do this ASAP, to prevent geting into this mess again.
You don't need to have the Recycle Bin enabled in order to undelete a directory object.  I wrote an article about this here:

While a restored user will have its SID and password restored, a computer might be a different story, as the secure channel password that the computer sets every 30 days or so might not be restored.  If you are planning to recreate the computer account anyway, its worth a try.  Or, you can delete a non-critical computer account that is known to work, then verify that its off the domain, then restore it, and see if its then able to access the domain.

You can always use the local account as others have suggested, and if you don't have that, there are still workarounds if you have physical access to the machine.  But try the undeletion first.
Restoring an account from tombstoned state will not restore group memberships AFAIR but the secure channel password will be restored. I mention this because I utilize computer groups quite a bit and others might too.