How to proactively tell if windows system lost it's trust relationship with the domain

Robert Perez-Corona
Robert Perez-Corona used Ask the Experts™
on
Is there a way via powershell/scheduled task, or software/app or other solution that we can see if a windows machine lost its trust with the domain?

Since it's a occurring issue at my job, I was hoping to execute something and generate reports to hand off to my Ops team

Thank you.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
A machine doesn't lose its trust with the domain out of the blue.
The only things that that come to mind that can cause this are
* Duplicate computer names, where the one that is rejoined throws the other one off.
* Users that are local Administrators and "join the machine to their home workgroup"
* Authoritative AD restore (should hit more than one machine).
* Restore of a snapshot/image of a machine where the machine changed its password after the snapshot/image was taken
That's about it. I have yet to encounter a machine that spontaneously drops its secure channel.
You can use Test-ComputerSecureChannel to test (and repair) the secure channel.
Test-ComputerSecureChannel
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel
Kesavan JeganarayananIT Consultant

Commented:
in Addition to oBdA's comments, it is very difficult or proactively tell system lost it's trust relationship with the domain.
You need to have your previous history to see how many clients affected per year to show as estimates.
Distinguished Expert 2017

Commented:
The only time a machine loses trust with a domain is when an update or a failing drive triggers a system repair and rolls/reverts to a prior snapshot.

I think your question is somewhat similar to how can I proactively determine whether I lost my keys.
You find out when the keys are needed. same with the trust relationship.

Note. The login using cached credentials is available when the system is OFF the network. If you have a local admin, or you are an admin on the domain, once you have an active session, and the system is
Robert Perez-CoronaSystems Administrator

Author

Commented:
thank you all for the input.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial