How can I check if my Windows 10 or 11 PC is properly joined to a Domain Controller?

Frank15 · Apr 30, 2024

I noticed that,

1. Even if my Windows Sever 2019 domain controller is turned off, I can log into the domain, and the whoami command shows: domainName/computerName

2. Even if I’m logged in with a local account, the advanced System Properties applet shows that I’m logged into a domain (I wonder why):

How can I check that I’m logged in and properly connected to a domain controller?

Any insights much appreciated

andrew129260 · Apr 30, 2024

Frank15 said:
the advanced System Properties applet shows that I’m logged into a domain

This isnt what its showing. It is saying your machine is joined to a domain, has nothing to do with the user logged in status.

A local account can be logged into the domain as long as that user is in AD. So can a microsoft account.

Don't confuse the local and microsoft accounts from an AD account.

It really depends if you are using active directory or azure.

Frank15 said:
Even if my Windows Server 2019 domain controller is turned off,

That is because the account is cached. When a pc cannot see the domain, it will let you log in with the last password and account info that was cached on the machine. If you were to delete that account from the pc and try to sign in with the account on the pc with the domain controller unavailable it will fail.

Frank15 said:
How can I check that I’m logged in and properly connected to a domain controller?

At the logon screen, it will by default log into the domain once joined. You can see this by clicking on other user in the bottom left at the logon screen, and see it will say sign into: yourdomainnamehere for example. If you wanted to sign into the computer only, you can see an example by clicking on how do I sign into another domain? And you will see the text showing how to type in your computer name \local user name to sign in the machine without the domain. But again, you can only do this with a cached profile.

Also if the account is not logged into the domain, you will not be able to access network resources, such as mapped network drives or printers.

Frank15 · May 1, 2024

andrew129260 said:
This isnt what its showing. It is saying your machine is joined to a domain, has nothing to do with the user logged in status.

A local account can be logged into the domain as long as that user is in AD. So can a microsoft account.

Don't confuse the local and microsoft accounts from an AD account.

It really depends if you are using active directory or azure.

That is because the account is cached. When a pc cannot see the domain, it will let you log in with the last password and account info that was cached on the machine. If you were to delete that account from the pc and try to sign in with the account on the pc with the domain controller unavailable it will fail.

At the logon screen, it will by default log into the domain once joined. You can see this by clicking on other user in the bottom left at the logon screen, and see it will say sign into: yourdomainnamehere for example. If you wanted to sign into the computer only, you can see an example by clicking on how do I sign into another domain? And you will see the text showing how to type in your computer name \local user name to sign in the machine without the domain. But again, you can only do this with a cached profile.

Also if the account is not logged into the domain, you will not be able to access network resources, such as mapped network drives or printers.

Thanks a lot for the insights. But, how can I know that I'm properly connected to the domain controller? I mean: if the domain controller is offline or the dns settings on the Windows 10 client aren't pointing to the right name server for the domain, I can still log in like you said. Is there any command, or anything I can check in the graphical user interface, to make sure that I’m properly logged in and connected to the DC?

BobOmb · May 1, 2024

If you can ping the controller its likely you are authenticating when you sign in, if you cannot you are using cached creds

Frank15 · May 1, 2024

It seems like I found a way:

To know that I'm properly connected and logged into a domain controller: use these two commands
- whoami: it should return domainname\username
- gpupdate /force: if it completes successfully, you know you're properly joined and logged in to the domain controller

andrew129260 · May 1, 2024

Frank15 said:
Thanks a lot for the insights. But, how can I know that I'm properly connected to the domain controller? I mean: if the domain controller is offline or the dns settings on the Windows 10 client aren't pointing to the right name server for the domain, I can still log in like you said. Is there any command, or anything I can check in the graphical user interface, to make sure that I’m properly logged in and connected to the DC?

The easiest way to know is if you have access to network resources, you're on the domain. If you do not, then you aren't.

However, there is this:

Test-ComputerSecureChannel (Microsoft.PowerShell.Management) - PowerShell

The Test-ComputerSecureChannel cmdlet verifies that the channel between the local computer and its domain is working correctly by checking the status of its trust relationships. If a connection fails, you can use the Repair parameter to try to restore it. Test-ComputerSecureChannel returns $true...

learn.microsoft.com

Frank15 said:
It seems like I found a way:
To know that I'm properly connected and logged into a domain controller: use these two commands
- whoami: it should show domainname\username
- gpupdate /force: if it completes successfully, you know you're properly joined and logged in to the domain controller

gp update force. haha that is a clever way. Didn't consider that. However, gpupdate force can fail even if your connected to the domain properly. For example, if there is an issue in the record for group policy. It isn't super common for that to happen but it is possible.

As for the who am I, if I disconnect the ethernet and I am not connected, it will still show the domain listed there

Frank15 · May 1, 2024

andrew129260 said:
The easiest way to know is if you have access to network resources, you're on the domain. If you do not, then you aren't.

However, there is this:

Test-ComputerSecureChannel (Microsoft.PowerShell.Management) - PowerShell

The Test-ComputerSecureChannel cmdlet verifies that the channel between the local computer and its domain is working correctly by checking the status of its trust relationships. If a connection fails, you can use the Repair parameter to try to restore it. Test-ComputerSecureChannel returns $true...

learn.microsoft.com

gp update force. haha that is a clever way. Didn't consider that. However, gpupdate force can fail even if your connected to the domain properly. For example, if there is an issue in the record for group policy. It isn't super common for that to happen but it is possible.

As for the who am I, if I disconnect the ethernet and I am not connected, it will still show the domain listed there

Thanks for the answer. This one seems to be good:

Test-ComputerSecureChannel -Server rts-dc1.rtsnetworking.com

And not:
Test-ComputerSecureChannel #this one gave TRUE even if the DC was disconnected

How can I check if my Windows 10 or 11 PC is properly joined to a Domain Controller?

Frank15

Member

My Computer

System One

andrew129260

Well-known member

My Computers

System One System Two

Frank15

Member

My Computer

System One

BobOmb

Well-known member

My Computer

System One

Frank15

Member

My Computer

System One

andrew129260

Well-known member

Test-ComputerSecureChannel (Microsoft.PowerShell.Management) - PowerShell

My Computers

System One System Two

Frank15

Member

Test-ComputerSecureChannel (Microsoft.PowerShell.Management) - PowerShell

My Computer

System One

Similar threads

Latest Support Threads

Latest Tutorials