0

I applied the 22H2 Windows 11 update last week which fried my entire domain user profile on my laptop. I attempted to change my domain from my workplace domain name to the local WORKGROUP and then changed it back and that ceased my access into my user account. Since then, I've resolved the issue and have gained access back into my user account, however my machine can no longer find the domain.

I was doing some digging around my computers settings and noticed the following:

  • In regedit (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList) my domain user profile exists.
  • In User Accounts my username and domain name is correctly listed
  • In Computer Management -> Local Users and Groups -> Users my profile does not exist.

I've been doing some googling and have tried to update the group policy with gpupdate /force however that returns the following:

Updating policy...

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

I then tried to run: GPRESULT /H GPReport.html which returned with:

INFO: The user does not have RSoP data.

I then tried to generate RSoP data in Console Root -> Resultant Set of Policy which does not display my domain user and instead shows my local accounts.

Now in order for me to log into my domain account, I have to disconnect my internet, type my password, and then it will successfully log in.

At this point I am not really sure what to do and I'm not a pro at debugging windows AD issues.

Also, speaking of AD - I have accessed our AD and tried renaming my computer, assigning different IP's and disabling and re-enabling my user account which solved nothing.

Screenshot of what I mean when I say my domain user exists in User Accounts but not in Local Users and Groups.

Green = domain account

Red = local account

Screenshot

Improve this question

1 Answer 1

Reset to default
0

My domain user profile is not listed in Local Users and Groups

Yes, that's normal. A domain user is in fact not a local user.

The only time you'd see a domain account in "Local Users and Groups" is in the group members list (in the green screenshot you're a member of local Administrators group), but it is never imported whole into the local SAM database.

The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:

This sounds like DNS entries for the computer are missing. Normally Windows registers them in the AD-managed DNS zone (via ipconfig /registerdns), but that's only useful if your domain search suffix matches the AD suffix. It's fine if a different suffix is deployed via DHCP, but the system-wide domain suffix (configured in sysdm.cpl) should still match the AD domain. Test using nslookup %ComputerName% (both with the domain appended and without).

It could also be that the machine is unable to log in to its AD "computer" account. Run klist tickets -li 0x3e7 and make sure the system account is successfully getting tickets (krbtgt, ldap, cifs) as that's needed to retrieve GPO information from AD.

(Try also nltest /sc_verify or Test-ComputerSecureChannel to test the legacy Netlogon "Secure channel", which is also based on the computer account password.)

With sufficient AD rights, Reset-ComputerMachinePassword -Credential (Get-Credential) can set a new computer account password on the machine without having to fully unjoin/rejoin it.

Finally, if you're working from home, it could be that some of the necessary AD DC ports are firewalled away, or that the AD DNS zone is not available from outside (need a VPN in both cases).

Improve this answer
4
  • thank you! This helped me figure out that my domain was listed as two separate entries. Fixing that resolved my issue.
    – jabroni
    Commented Nov 18, 2022 at 14:13
  • however this also makes me wonder the other reference to my domain wasn't working. The one that it should be is DOMAIN, whereas the one that works is domain.local. On the AD server the domain name is DOMAIN.LOCAL and the Domain NetBIOS Name is DOMAIN
    – jabroni
    Commented Nov 18, 2022 at 14:15
  • A bare DOMAIN is an "Windows NT domain" name that comes from the NetBIOS-based domain system which existed before AD. Every AD domain still has a corresponding NetBIOS / NT domain name (which can have completely different spelling from the AD DNS domain name), but when joining a machine to the domain you should always use the DNS name, i.e. domain.local – support for NT-style domain joins has been gone for a few years now, so It's normal that joining a machine to DOMAIN will not work. (Once the machine is joined though, console logins can still use DOMAIN\user though.)
    – grawity_u1686
    Commented Nov 18, 2022 at 14:29
  • As for DOMAIN.LOCAL, if it's shown in klist then it is actually the Kerberos realm name, which is case-sensitive and traditionally the uppercase version of the corresponding DNS domain. So your AD domain really has three names – DNS, Kerberos, and NT, and the same AD account name can be written as [email protected] in AD UPN format, [email protected] in Kerberos principal format, and DOMAIN\user in NT format.
    – grawity_u1686
    Commented Nov 18, 2022 at 14:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .