Active Directory employs computer domain accounts in much the same way as it does user accounts. Computer domain accounts specify which systems belong to the domain and identify which AD containers they belong to (i.e. domain, site and organizational units). As an administrator, you can always alter a computer account's container placement. But for the most part, once a computer domain account is created when a new computer joins the...
domain, AD itself takes on the responsibility of maintaining that account. Each time the computer boots, it authenticates itself to the domain. But occasionally AD will change each computer account's domain password automatically. When problems occur, you will need to reset the computer account.
Resetting the computer account is basically a re-creation of a new computer account and a deletion of the old one. This activity breaks the link between the computer and the domain. This requires that you join the computer to a workgroup, then re-join the domain into the reset computer account. Resetting the computer account can be performed in either of two ways. First, you can use the Active Directory Users and Computers interface by right-clicking over a computer name and selecting Reset from the pop-up menu. Secondly, you can use the command line: dsmod computer <systemname> -reset, where <systemname> is the name of the computer account to reset.
If you fail to leave and re-join the domain after resetting a computer account, the computer will be unable to authenticate to the domain. This results in preventing valid domain user accounts from logging in on the computer as well.
James Michael Stewart is a partner and researcher for Itinfopros, a technology-focused writing and training organization.