I was attending the SCUG Sweden meeting at Microsoft offices in Stockholm on the 8-9 of October. During the second day, one of the session was a copy of the Community Session from MMS 2018. This session is the attendee’s way to show each other’s tools they use in their daily work.

One of my demos was a script that repairs a trust relationship between a workstation and the primary domain.

This is based on the command Test-ComputerSecureChannel.

First up I created a Configuration Item that check if the relation is broken. The Discovery script is simple

On the compliance rule check for value True.

So now we can check if the computer has a broken trust to the domain. You can either have a remediation script or a ConfigMgr script to fix the issue.

The script looks like this:

if (!(Test-ComputerSecureChannel)) {
$Secret = 'UABAAHMAcwB3AG8AcgBkAA=='
$DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($Secret))
$password = convertto-securestring -String $DecodedText -AsPlainText -Force
$ADRepairCred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
Test-ComputerSecureChannel -Repair -Credential $ADRepairCred

I know it’s not a secure way to store the password in the script, but it feels better than writing it in plain text.

To create the $Secret use this code:

$Text = 'P@ssword'
$Secret = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Text))

It’s very important to only give account the rights it needs. To delegate the rights in Active Directory run this command after changing the OU and User:

dsacls.exe "OU=Radeck Computers,OU=Radeck,DC=demo,DC=radeck,DC=se" /G RADECK-DEMO\COMPUTER_PWDRESET":CA;Reset Password;Computer" /I:S

You should end up with something like this:

To up the security some more you can create a GPO that doesn’t allow that user to logon locally

I made a movie where I repair the trust with ConfigMgr Script:

You can find the script on my github:

And here you can download the CI:

So if you want to test this, just reset the computer account in the Active Directory

I want to end this blog by thanking the team behind scconfigmgr.com for the possibility to blog on this fine blog.

Have a greate day


I’m a Technical Architect with Knowledge Factory. My primary focus is ConfigMgr and has been that way since it was named SMS, but I also spend a lot of time working with other related client management tools such as Active Directory, Group Policy, and more.

There are no comments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.