How can I check whether the domain account of a computer got invalid (the trust is broken)?

StackOverflow https://stackoverflow.com/questions/21284822

Question

I must recognize notebooks whose domain accounts are no longer valid.

Invalid domain accounts may happen due to several problems. Mostly the client got restored from a backup and afterwards the domain account is not valid any more

Int this case the behavour is:

  • The user's logon works through cached credentials
  • The user has access to shares and files on the server (NTLM)
  • Access via Kerberos does not work

Is there any possibility to check the validity of the computer account?

Was it helpful?

Solution

With this code I can find invalid computer domain accounts:

try
{
    string sMyComputer = "MyComputer"
    Domain computerDomain = Domain.GetComputerDomain(); // may! throw ActiveDirectoryObjectNotFoundException if computer account is invalid 
    string sComputerDomain = computerDomain.Name;
    NTAccount acc_machine = new NTAccount(sComputerDomain, sMyComputer + "$"); 
    SecurityIdentifier sid = (SecurityIdentifier)acc_machine.Translate(typeof(SecurityIdentifier)); // always throws an SystemException if computer account is invalid
}
catch    
{ 
   // something is wrong with the account    
}
  • sMyComputer + "$" is how the account name is stored in the active directory
  • my experience is that the first exception is mostly not thrown and the return value is the correct name of the domain the computer had once a working computer account
  • the second exception (SystemException) is always thrown if computeraccount is now invalid. The errocode is 80004005. (I had expected an IdentityNotMappedException)

EDIT:
corrected error in code

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top