Fix 0X000008AB: Security database not found NERR_ACFNotFound
Your computer's account in the domain got corrupted. Drop it and rejoin — takes 10 minutes.
You're trying to log into a domain workstation and get slapped with 0X000008AB — "The security database could not be found." Yeah, that feels like a brick wall. I've seen this exact error on a dozen sites, always on Windows 10 or Server 2016/2019 after a botched domain migration or when someone restored a VM snapshot without resetting the machine account. The fix isn't complicated, but you have to do it right.
The real fix: Ditch and rejoin the domain
Step 1: Log in with local admin credentials. If you don't have that, you're stuck — you'll need to boot into recovery or reset the local admin password first.
Step 2: Open System Properties (right-click This PC → Properties → Advanced system settings, or just run sysdm.cpl).
Step 3: Under the Computer Name tab, click Change. Select Workgroup and type a temporary workgroup name (like WORKGROUP). Click OK and reboot when prompted.
Step 4: After reboot, log back in as local admin. Go back to System Properties → Change, select Domain, and re-enter your domain name. Provide domain admin credentials when asked. Click OK and reboot again.
That's it. The error is gone. I had a client last month whose entire print queue died because of this — same fix, different machine.
Why this works
The 0X000008AB error means the computer's Active Directory account (stored in the registry as HKLM\SECURITY\Policy\Secrets and the local SAM) is out of sync with the domain controller. When you leave the domain, Windows deletes that machine account from the local store. Rejoining creates a fresh one with a new password. The domain controller also updates its side — so both sides agree again. No need to touch the DC or reset the account manually, though you can do that from ADUC if you want to be extra sure.
Less common variations
1. The DC can't be reached at all. If the error pops up with a "network path not found" or "DNS name does not exist" alongside it, check DNS first. Run nslookup yourdomain.com from the affected machine. If it fails, fix the DNS server address in the network adapter settings to point to a domain controller. I've wasted an hour on this once — it wasn't the database, it was a misconfigured DHCP scope handing out 8.8.8.8 as the primary DNS.
2. The error happens during domain join itself, not login. That's a different beast — usually a permission issue. You'll get 0X000008AB plus NERR_ACFNotFound code. Ensure the domain account you're using has rights to join computers (default Domain Users does, but group policy or custom delegation can block it). Also check that the computer account doesn't already exist in AD with a conflicting name — delete it from ADUC if it does.
3. Multiple machines hit at once. This screams a DC problem. Check if the domain controller that holds the PDC emulator role is down or unreachable. Run dcdiag /c on a DC. If the DC's own database is corrupt (unlikely but possible), you'll need to restore from backup or rebuild the DC. Don't rejoin 50 computers until the DC is healthy.
# Quick DNS check from the affected workstation
nslookup yourdomain.com
# Should return the IP of a domain controller
How to prevent this
Three things cause this error most often:
- Restoring a VM from snapshot without resetting the computer account. Always leave the domain before reverting a VM snapshot, or use
netdom resetpwdafter restore to sync the password. - Moving a computer between OUs that have different password policies. Keep the machine password update interval consistent — default is 30 days.
- Letting the machine account password expire. This almost never happens on its own, but if a workstation is offline for more than 30 days and then reconnects to a DC that's strict about passwords, it can fail. Keep machines on the network at least once a month.
If you're managing dozens of workstations, a quick script that runs Test-ComputerSecureChannel on each box weekly will catch this before users see it. Something like:
# PowerShell check for machine account health
if (-not (Test-ComputerSecureChannel -Repair)) {
Write-Warning "$env:COMPUTERNAME needs domain rejoin"
}
That's the whole deal. Leave the domain, rejoin, move on. No registry hacks, no SID manipulation, no blaming the DC. Just 10 minutes of your time and a couple reboots.
Was this solution helpful?