I was attending the SCUG Sweden meeting at Microsoft offices in Stockholm on the 8-9 of October. During the second day, one of the session was a copy of the Community Session from MMS 2018. This session is the attendee’s way to show each other’s tools they use in their daily work.

One of my demos was a script that repairs a trust relationship between a workstation and the primary domain.

This is based on the command Test-ComputerSecureChannel.

First up I created a Configuration Item that check if the relation is broken. The Discovery script is simple

On the compliance rule check for value True.

So now we can check if the computer has a broken trust to the domain. You can either have a remediation script or a ConfigMgr script to fix the issue.

The script looks like this:

if (!(Test-ComputerSecureChannel)) {
$Secret = 'UABAAHMAcwB3AG8AcgBkAA=='
$DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($Secret))
$Username = 'RADECK-DEMO\COMPUTER_PWDRESET'
$password = convertto-securestring -String $DecodedText -AsPlainText -Force
$ADRepairCred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
Test-ComputerSecureChannel -Repair -Credential $ADRepairCred
}

I know it’s not a secure way to store the password in the script, but it feels better than writing it in plain text.

To create the $Secret use this code:

$Text = '[email protected]'
$Secret = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Text))
$Secret

It’s very important to only give account the rights it needs. To delegate the rights in Active Directory run this command after changing the OU and User:

dsacls.exe "OU=Radeck Computers,OU=Radeck,DC=demo,DC=radeck,DC=se" /G RADECK-DEMO\COMPUTER_PWDRESET":CA;Reset Password;Computer" /I:S

You should end up with something like this:

To up the security some more you can create a GPO that doesn’t allow that user to logon locally

I made a movie where I repair the trust with ConfigMgr Script:

You can find the script on my github:
https://github.com/JRadeck/Radeck-Public/tree/master/ConfigMgr-Stuff

And here you can download the CI:
https://1drv.ms/u/s!AhuAzOv7Sur5g_ASI0m_uf5-W8wt2w

So if you want to test this, just reset the computer account in the Active Directory

I want to end this blog by thanking the team behind scconfigmgr.com for the possibility to blog on this fine blog.

Have a greate day
/Johnny

(15099)

comments
  • snowdins
    Posted at 12:16 November 7, 2018
    snowdins
    Reply
    Author

    Im not sure how I feel about this.

  • Cherif BENAMMAR
    Posted at 12:27 November 9, 2018
    Cherif BENAMMAR
    Reply
    Author

    The check script seems not returning consistent value,

  • Manish
    Posted at 06:17 November 19, 2018
    Manish
    Reply
    Author

    there is error on few pc’s like “Incorrect Function” Error Category is Discovery.

    event id 0x80070001.

    test-computersecurechannel setting 0x80070001 incorrect function discovery

  • Kristian B Theissen
    Posted at 17:22 February 1, 2019
    Kristian B Theissen
    Reply
    Author

    I get “Enforcement Error – Error Code 0xffffffff” from the compliance report.

  • Alex
    Posted at 00:08 March 9, 2019
    Alex
    Reply
    Author

    Sorry, for somebody it could be a silly question, but I am newcomer)

    Can anybody explain how it’s working?

    When it evaluates this CI and if it’s not compliant computer needs somehow access sccm to retrieve this script for remediation , but how it can if the secure channel based on kerberos is broken or script stored localy within ci/cb

  • Fabrice
    Posted at 11:27 March 29, 2019
    Fabrice
    Reply
    Author

    Hello,
    I find the article very well.

    on the other hand I can not make it work, I block the command dsacls.exe
    I do not understand how to do it?
    I don’t the window “permission entry”

    I am trying to prevent and correct the trust relationship before the problem occurs, or to make scripts to correct when the user calls.

    But when I run the script via SCCM, the test always returns True but when the PC has no relation.

    Thank you

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.