Issue with Domain and Client with Domain account

Question

Issue with Domain and Client with Domain account

SSE@TUE 160

Hi,

I have created some GPOs and deployed it to some client machines. The GPO does not applied on some machines.

I did do the following PS and see why:

Test-ComputerSecureChannel -Server "DCName.domain.com"

result : True

Test-ComputerSecureChannel -Verbose

Result: True

Test-ComputerSecureChannel -Repair

Result: True

Any Idea why?

Regards

Nick

Accepted answer

0 additional answers

Your answer

Answer 1

Marcin Policht 54,995 MVP Volunteer Moderator

The behavior you're describing points to trust relationship issues between the client machine and the domain, even though Test-ComputerSecureChannel initially reports True.

Test-ComputerSecureChannel checks whether the computer account in AD can communicate securely with the domain. When you run it without -Credential, it uses the machine account to test the secure channel. A return of True means “the channel is working,” but it doesn't guarantee that the channel is fully healthy for all operations (especially GPO application which may require access to certain AD objects).

Some GPOs might need authentication with domain credentials to access policies, SYSVOL, or scripts. If the machine account has limited permissions, or if Kerberos tickets are stale, GPOs can fail. Using -Credential forces the test to authenticate using a valid user account (typically a domain admin), which repairs/refreshes the secure channel properly.

Test-ComputerSecureChannel -Repair alone repairs the secure channel using the machine account. Usually enough if the issue is minor. But in some cases, the machine account doesn't have sufficient rights, so the repair seems fine (True), but GPO still fails. Using -Repair -Credential (Get-Credential) provides explicit domain credentials, which:

Re-establishes trust properly.
Refreshes machine account permissions.
Allows GPOs to apply correctly after gpupdate /force.

Some of the common reasons for this behavior include:

Stale computer account password: Domain computer accounts change passwords automatically every 30 days. Sometimes the local machine password gets out of sync.
Restricted access on SYSVOL/NETLOGON: The computer account cannot read the GPO.
Replication latency or AD inconsistencies: GPO objects not yet replicated.
Kerberos or token issues: Stale tickets can block GPO retrieval.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

SSE@TUE 160 Reputation points

2025-08-22T13:40:20+00:00

Thank you for your replay
SSE@TUE 160 Reputation points

2025-08-22T13:42:40.8366667+00:00
Hi,

Thank you for replay.

how can I prevent that situations?

Can I do or deploy that PS automatically without put username and password manually?

Is there any other solution way?

Regard

Nick
Marcin Policht 54,995 Reputation points MVP Volunteer Moderator

2025-08-22T14:15:18.1466667+00:00
Preventing the issue permanently

The root cause is usually stale or broken machine account trust. To prevent it:

Ensure computer account password updates correctly

By default, domain computer accounts change their password every 30 days.

Make sure time is synchronized (domain controller and clients). Kerberos is sensitive to time drift (>5 min can break authentication).

Use w32tm /resync on clients if needed.

Monitor secure channel health regularly

You can schedule a script that runs:
if (-not (Test-ComputerSecureChannel)) { Test-ComputerSecureChannel -Repair }

This ensures any broken channels are automatically repaired using the machine account.

To avoid manual credential prompts

Usually you only need -Credential if the machine account itself can't fix the trust (rare).

Most cases can be handled with Test-ComputerSecureChannel -Repair alone.

Automating the repair without manual credentials

You can automate this with Scheduled Task + PowerShell on all client machines:

# Repair secure channel if broken if (-not (Test-ComputerSecureChannel)) { Test-ComputerSecureChannel -Repair }

Save this script on all clients.

Schedule it to run daily or weekly using Task Scheduler under SYSTEM account.

This avoids the need to type a username/password.

Important: Use the machine account for repair; avoid embedding domain admin credentials — it's insecure.

An alternative solutions

Rejoin the domain automatically

If a computer consistently loses trust, you can use a script to reset the computer account in AD and rejoin the domain:
Reset-ComputerMachinePassword -Server "DCName.domain.com"

This is safer than using manual credentials and fixes most trust issues.

Check SYSVOL/NETLOGON access

Ensure the computer account can read the GPOs. Permissions can sometimes prevent application even if the secure channel is fine.

Use Group Policy health monitoring

Event Viewer → Applications and Services Logs → Microsoft → Windows → GroupPolicy shows GPO errors.

You can deploy monitoring scripts to alert admins before users notice missing policies.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
SSE@TUE 160 Reputation points

2025-08-25T05:22:08.6266667+00:00

Thank you very much for your excellent description. Could you please help me with my other issue "Sysprep Windows 11 build 24 H2" ? too, if you have time

Share via

Issue with Domain and Client with Domain account

0 additional answers

Your answer