2

I have one computer on my domain that has suddenly stopped receiving software updates via group policy. Domain logins still work, and group policy on the machine is still being updated, so it knows that there are new packages to install and where to look for them, but every time it tries to install a package, it throws a 1622 error (location not found).

Logged in users can reach the same network shares, and every other computer on network is installing the packages. Further investigation found that other services running as "System" on the problematic computer are also unable to authenticate to network shares.

How do I diagnose/fix this computer's account in Active Directory? The computer account exists, and is a member of "Domain Computers" - or is there something else I should be looking at?

The question is: How does one fix a broken machine account in AD without reimaging?

Nathan V
  • 711
  • 5
  • 16
Terence Johnson
  • 463
  • 4
  • 12
  • First step would be to run `gpupdate /force` on the box and check the `eventlog` to see which error turns up. – Ansgar Wiechers Sep 15 '12 at 10:41
  • It prompts for a restart, and then gives the 1622 error for each package it tries to install when the system comes back up. – Terence Johnson Sep 15 '12 at 12:00
  • Is the computer able to access the location the policy points it to? Do you see errors/warnings in the eventlog? – Ansgar Wiechers Sep 15 '12 at 13:34
  • Yes, the 1622 errors are logged in the event log. The COMPUTER$ account seems not to be able to access those locations, even though it is a domain member and every other domain member computer can access them (and so could this one until about a week ago... and the users don't have admin rights, so in theory can't break things. So much for that theory...) – Terence Johnson Sep 18 '12 at 02:19
  • What result do you get when you try to manually access that location? Is the Windows Firewall enabled on either the client or the server? – Ansgar Wiechers Sep 18 '12 at 10:28
  • The question is how does one fix a broken machine account in AD without reimaging. The group policy and share setup is known not to be the problem. – Terence Johnson Sep 18 '12 at 16:26
  • 1
    The easiest way is: remove the machine from the domain, delete the machine account, then add the machine to the domain again. – Ansgar Wiechers Sep 18 '12 at 17:40

1 Answers1

1

How do I diagnose/fix this computer's account in Active Directory?

You could try an account reset but I haven't had much success with it.

Rather than spend hours trying to diagnose the issue the thing to try is to log in as a local administrator, disjoin from the domain, reboot, and rejoin the domain. This should not only fix the account but should correct any broken associations to the domain as well as it would force a group policy refresh.

If that doesn't do it then I'd suggest posting the actual event log entry for the 1622 so we're able to see what it's looking for and failing to find.

Nathan V
  • 711
  • 5
  • 16