6

For testing purposes I am trying to purposefully break trust relationships with the Windows Domain. What is the quickest way to kill it off? "Unfortunately", broken trust relationships don't regularly occur with my set up so I'd like a way to artificially break one.

If possible, I'd like to be able to trigger this from both the server and client side.

Using Windows Server 2016 Core and Windows 7/8.1 clients.

Pylsa
  • 205
  • 1
  • 3
  • 9

4 Answers4

9

Right click the computer object in Active Directory Users and Computers... select Reset Account. This will break the trust between the computer account and the domain.

You can use Powershell, netdom, or nltest to recreate/fix the trust.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • 1
    This is actually one of the first things I tried but the workstation just booted and logged on fine... – Pylsa Apr 24 '17 at 12:28
6
  • Take snapshot of workstation.
  • Initiate a machine account password change (netdom /resetpdwd) Do it twice for good measure.
  • Restore the workstation from the snapshot.
  • Password stored on workstation no longer matches what's stored in Active Directory. Domain relationship busted.
Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
0

I was able to do this in PowerShell:

On the client machine:

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'UserAuthentication' -Type DWord -Value 0

On the DC:

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'UserAuthentication' -Type DWord -Value 0
$dn = $(Get-ADComputer 'NAME-OF-CLIENT-SERVER').distinguishedName
dsmod computer $dn -reset
rjmccallumbigl
  • 111
  • 3
-2

Create a a System Restore Point from system properties, do the password reset as explained, then revert to the SRP (Start-Run: rstrui).

Julian Blue
  • 1