I'm trying to create a script that unjoins (adds to workgroup) and then rejoins to the domain for people that work via VPN but have a deleted computer account in AD.

This will add the machine to a workgroup (batch, yes I am aware there is Remove-Computer but that gives me some issues):

start /B /W wmic.exe /interactive:off ComputerSystem Where "Name='%computername%'" Call UnJoinDomainOrWorkgroup FUnjoinOptions=0

And this will create the computer account and join to the domain (Powershell).

Add-Computer -DomainName "MyDom" -OUPath "OU=My,OU=OU,DC=My,DC=Dom" -Force

However, when you reboot after rejoining, it appears that the previously interactive logon cached credentials are not valid anymore. Upon further inspection, the HKEY_LOCAL_MACHINE\SECURITY\Cache is empty. I tried taking a backup and after the join placing these back but that did not seem to work. It gives me the following error when logging in.

We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.

Is there a way to backup cached interactive logon credentials or prevent the clearing from happening?


I was able to fix this by leveraging Test-ComputerSecureChannel -Repair, It does seem to rejoin aswell

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1

Note: The user that performs the repair, must have "join to" permissions set to the object.