When trying to log on to the domain from a client PC, I recently received the following error message on Windows:
Login failed: Invalid target account name.
What was odd is that this only happened for one specific user account in Active Directory and not for other accounts. When I tried using a different account, I was able to log into the server.
You may also receive this error message in other situations, such as when you enter the UNC path to a share in Windows Explorer. If you receive a login error message, here are some ways to fix the problem.
Method 1 – Reset machine account passwords using Netdom.exe
You can run the Netdom command on a domain controller that is responsible for accepting logon requests from the PC you are having problems with.
First, you need to install Windows Server Support Tools from the CD. After installation, you must stop the Kerberos Key Distribution Center service and set the Startup Type to Manual.
– /
Then restart the server and open a command prompt. You must restart to remove the Kerberos ticket cache. You can also remove this with the KLIST or KerbTray tools.
Finally, enter the following command at a command prompt:
netdom resetpwd / s: server / ud: domain User / pd: *
/ S: server is the name of another domain controller that is running the KDC service. This server will be used to set the password for the computer account.
The other two parameters are just the username and password for the domain administrator account.
Note that this method mainly solves the replication problem between two domain controllers. Replication can sometimes fail because the secret password between domain controllers is not synchronized.
Make sure replication between domain controllers actually works!
Method two – fully qualified domain name
Sometimes, depending on how your DNS is configured on the server, you may need to use the fully qualified domain name (FQDN) of the server, not just the server name.
So if you are trying to access a network share using a UNC path or login script, try using servername.domain.lan and it may work fine.
If that works, you can change your DNS settings so you don’t have to use the FQDN by going to DNS settings under Advanced TCP / IP Settings when you go to Network Card Properties.
Make sure the DNS suffix listed in the Add these DNS suffixes (in order) box is correct.
Third method – delete the old computer account
Another reason you might receive a “Target account name is incorrect” error is if a domain controller was recently migrated from a parent domain to a child domain.
In this scenario, the old computer account for the domain controller may still exist in the child domain. All you have to do is remove the account from the parent domain and you should be fine.
Another way to fix this is to remove the server from the domain and rejoin it to the domain so that the computer account is reset.
These are pretty much all the reasons I have ever seen for this error, so if you still have a login error issue, leave a comment here and I will try to help! Enjoy!
–