Using Windows PowerShell to fix a broken Secure Channel and reset the computer account


When a computer joins a domain, a computer account is created in AD. The computer account gets its own password that will expire after 30 days (default). When the password expires, the computer itself will initiate a password change with a DC in its domain.

When the computer starts up, it uses this password to create a secure channel (SC) with a DC. The computer will request to sign all traffic that passes the SC. If a DC says “go ahead”, all traffic that is signed passes through this channel.

Traffic like NTLM pass through authentication is typically signed traffic.

So what happens if there is a mismatch between the computer account password? The computer tries to authenticate, but the DC says this is not the correct password.

The SC is down.

To reset the SC between a computer and a DC:

Open PowerShell on the local computer with the broken SC and run the cmdlet:

Test-ComputerSecureChannel -repair -credential (Get-credential)

Source: Using Windows PowerShell to fix a broken Secure Channel and reset the computer account

Advertisements

Sysinternals autologon and securely encrypting passwords???


Hi all,

Nowadays I’m trying create a Auto Logon but with an encrypted password.

I discover the SysInternals AutoLogon, which can do that, but is not entirely true. There is a way to unencrypt this password.

This is not completely secure.

Please read the bellow article.

https://keithga.wordpress.com/2013/12/19/sysinternals-autologon-and-securely-encrypting-passwords/?blogsub=confirming#subscribe-blog