Managing Computer Accounts
Computer accounts are managed and configured using Active Directory Users And Computers. By default, computer accounts are stored in the Computers container and domain controller accounts are stored in the Domain Controllers container. Computer accounts can also be stored in other containers, such as the OUs you've created. Computers may be joined and removed from a domain using Computer Management or the System tool in Control Panel.
Creating a Computer Account in Active Directory
When you create a new computer account in your domain, you must be a member of the Account Operators, Domain Admins, or Enterprise Admins group in Active Directory. To create a new computer account, start Active Directory Users And Computers. Rightclick the container in which you want to create the new computer account, point to New, and then select Computer. This starts the New Object-Computer Wizard.
Type a computer name. By default, only members of Domain Admins can join computers to the domain. To allow a different user or group to join the computer to the domain, click Change, and then use the Select User Or Group dialog box to select a user or group account that is authorized to join the computer to the domain. If Windows NT systems can use this account, select the Assign This Computer Account As A Pre-Windows 2000 Computer check box. Click Next twice, and then click Finish.
Note: Creating a computer account does not join the computer to the domain. It merely creates the account to simplify the process of joining a domain. You can, however, create a computer account when you join a computer to a domain.Creating computer accounts at the command line
You can create computer accounts using DSADD as well. To do this, you'll need to know the Active Directory service path string you want to use. For example, suppose you want to create a computer account called CustServicePC28 in the Computers container for the cpandl.com domain. The full path to this computer object is CN=CustServicePC28, CN=Computers,DC=cpandl,DC=com. When creating the computer object using DSADD, you must specify this path as follows:
dsadd computer "CN=CustServicePC28,CN=Computers,DC=cpandl,DC=com"
Here, CN= is used to specify the common name of an object and DC= is used to specify a domain component. With Active Directory path strings, you will also see OU=, which is used to specify the name of an organizational unit object. For the full syntax and usage, type dsadd computer /? at a command prompt.
The directory services commands can also be used to perform many computer management tasks. Use DSMOD COMPUTER to set properties, disable accounts, and reset accounts. Use DSMOVE COMPUTER to move computer accounts to a new container or OU. Use DSRM COMPUTER to remove the computer account.
Joining Computers to a Domain
When you join a computer to a domain, you must supply the credentials for creating a new computer account in Active Directory. The new computer will be placed in the default Computers container in Active Directory. Most of the time, there is a dialog box for joining a computer to the domain when you install or set up Windows 2000 or later for the first time. You must be a member of the Administrators group on the local computer to join it to the domain. Windows Server 2008 allows any authenticated user to join workstations to the domain-up to a total of 10-providing that you've already created the necessary computer accounts. To join a server to a domain, you must be a member of the Account Operators, Domain Admins, or Enterprise Admins group.
To join a server or workstation to a domain, follow these steps:
- Click System And Maintenance\System in Control Panel. In the Computer Name, Domain, And Workgroup Settings section, click Change Settings. This displays the System Properties dialog box with the Computer Name tab selected.
- On the Computer Name tab, click Change.
- Select Domain and type the name of the domain to which the computer should join. Click OK.
- When prompted, type the name and password of a domain account that has the permissions to create a computer account in Active Directory, or join the computer to the domain, or both. Click OK.
- The computer is joined to the domain, and a new computer account is created as necessary. If the changes are successful, you'll see a confirmation dialog box.
TROUBLESHOOTING: The computer won't join the domain
If there are problems joining the computer to the domain, there may be an existing computer in the domain with the same name. In this case, you would change the computer name and then repeat this procedure. The computer must also have Transmission Control Protocol/Internet Protocol (TCP/IP) properly configured. If you suspect a problem with the TCP/IP configuration, ping the loopback address 127.0.0.1 to ensure TCP/IP is installed correctly and then check the configuration settings by typing ipconfig /all at the command prompt.
In this tutorial:
- Managing Users, Groups, and Computers
- Managing Domain User Accounts
- Configuring User Account Policies
- Enforcing Password Policy
- Configuring Account Lockout Policy
- Creating Password Settings Objects and Applying Secondary Settings
- Understanding User Account Capabilities, Privileges, and Rights
- Assigning User Rights
- Creating and Configuring Domain User Accounts
- Configuring Account Options
- Configuring Profile Options
- Troubleshooting User Accounts
- Implementing and Creating Preconfigured Profiles
- Configuring Local User Profiles
- Implementing Mandatory User Profiles
- Managing User Data
- Using Offline Files
- Configuring Offline Files on Clients
- Maintaining User Accounts
- Moving User Accounts
- Resetting a User's Domain Password
- Creating a User Account Password Backup
- Managing Groups
- Understanding the Scopes of Groups
- Creating a Group
- Creating group accounts at the command line
- Modifying Groups
- Managing Computer Accounts
- Moving a Computer Account
- Configuring Properties of Computer Accounts
- Troubleshooting Computer Accounts
