How to Reset Secure Channel Remotely Using Script

This topic is a how to. Please keep it as clear and simple as possible. Avoid speculative discussions as well as a deep dive into underlying mechanisms or related technologies.

1. Paste the following VBscript code into Notepad and save it as getcomplist.vbs. The script will be used to generate a list of computers from Active Directory.

   Be sure to replace CN=computers,DC=fabrikam,DC=com with the path that is relevant to your environment.

   Const ADS_SCOPE_SUBTREE = 2

   Set objConnection = CreateObject("ADODB.Connection")
   Set objCommand = CreateObject("ADODB.Command")

   objConnection.Provider = "ADsDSOObject"
   objConnection.Open "Active Directory Provider"

   Set objCOmmand.ActiveConnection = objConnection objCommand.CommandText = _
   "Select Name from 'LDAP://CN=computers,DC=fabrikam,DC=com' " _
   & "Where objectClass='computer'"
   objCommand.Properties("Page Size") = 1000
   objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

   Set objRecordSet = objCommand.Execute

   objRecordSet.MoveFirst

   Do Until objRecordSet.EOF
       Wscript.Echo objRecordSet.Fields("Name").Value
       objRecordSet.MoveNext
   Loop

2. Run the following command to get the output in a text file.

   cscript getcomplist.vbs > complist.txt

3. Edit complist.txt to remove extra lines and spaces.

4. Create a batch file named remotejoin.bat which will remove the computer from domain and join it back using the Netdom tool.

   Be sure to update the commands below with information that is relevant to your environment.

   net use y: \netbiosnameofdc\share /User:<netbiosnameofthedomain>\domainadminaccount> <passwordofthedomainadmin>
   copy y:\Netdom.exe %windir%\system32
   net use y: /delete
   netdom remove %computername% /DOMAIN:<netbiosnameofthedomain> /USERD:<netbiosnameofthedomain>\domainadminaccount> /PASSWORDD:<passwordofthedomainadmin>
   netdom join %computername% /DOMAIN:<netbiosnameofthedomain> /USERD:<netbiosnameofthedomain>\domainadminaccount> /PASSWORDD:<passwordofthedomainadmin> /REBOOT

   The first three lines are mapping Y: drive to shared folder on a domain controller where Netdom.exe resides and then copies it locally on the client machine. Later netdom is run to remove and join back the computer to domain.

5. Run remotejoin.bat on the client machines remotely using the Psexec tool.

6. Create another batch file named initiate.bat which will read the computer names from complist.txt and run remotejoin.bat using Psexec on remote computers.

   For /F "delims=; " %%I in (C:\complist.txt) Do PSExec \%%I -u %%I\Administrator -p <Remote Computer Admin Password> -c C:\remotejoin.bat -e -f

   Make sure that you have placed complist.txt, remotejoin.bat and psexec.exe on the C: drive on a domain controller.

7. Run initiate.bat.

---

See Also

• VBA & VBS Portal
• Wiki: Portal of TechNet Wiki Portals