Moving a Computer Account
A corporation may have organizational changes requiring you to move a computer account. The computer account may be moved from one container to another. Plan and test moving the computer account to ensure that possible conflicts in permissions or rights don't occur. You can use the Effective Permissions tool in planning mode to simulate moving computer accounts and to determine if there could be conflicts.
To move a computer account, you can drag and drop the computer object from one container to another within the details pane of Active Directory Users And Computers. Alternatively, you can right-click the computer account name, select Move, and then select the container to which you want to move the account using the Move dialog box. You cannot move computer accounts for domain controllers across domains. You must first demote the domain controller, then move the computer account.
Disabling a Computer Account
Security issues, such as malicious viral attacks or rogue user actions, may require you to temporarily disable a computer account. Perhaps a critical software bug has caused an individual computer to repeatedly try to receive authentication from a domain controller. You disable a computer account to prevent it from authenticating until you fix the problem.
You disable a computer account by right-clicking it in Active Directory Users And Computers and selecting Disable Account. This prevents the computer from logging on to the domain but does not remove the related account from Active Directory.
Deleting a Computer Account
When you delete a computer account using Active Directory Users And Computers, you cannot just re-create a new computer account with the same name and access. The SID of the original computer account will be different from that of the new account. To remove a computer account, right-click the computer account in Active Directory Users And Computers, and then select Delete.
Managing a Computer Account
Managing a remote computer is a common task when troubleshooting server or workstation problems. You see and configure computer management settings such as shares, system settings, services and applications, and the event log of the remote computer. Care should be taken when changing settings or restarting services on remote machines.
Right-click the computer account name in Active Directory Users And Computers, and then select Manage to bring up Computer Management for that computer.
Resetting a Computer Account
Computer accounts, like user accounts, have passwords. Unlike user account passwords, computer account passwords are managed automatically. Sometimes, however, the password can get out of sync or there can be another issue that doesn't allow the computer account to be authenticated in the domain. If this happens, the computer account can no longer access resources in the domain and you should reset the computer account.
To reset a computer account, right-click the computer account name in Active Directory Users And Computers, and then select Reset Account. If you reset the computer account, the computer must be removed from the domain (by placing it in a workgroup or other domain) and then rejoined to the domain.
However, the Reset Account feature is not the best technique to use with member servers and domain controllers. With member servers and domain controllers, you should use NETDOM RESETPWD. You can reset the computer account password of a member server or domain controller by completing the following steps:
- Log on locally to the computer. If you are resetting the password of a domain controller, you must stop the Kerberos Key Distribution Center service and set its startup type to Manual.
- Open a command prompt. Type netdom resetpwd /s:ComputerName /ud: domain\user /pd:* where ComputerName is the name of a domain controller in the computer account's logon domain, domain\user is the name of an administrator account with the authority to change the computer account password, and * tells NETDOM to prompt you for the account password before continuing.
- When you enter your password, NETDOM will change the computer account password locally and on the domain controller. The domain controller will then distribute the password change to other domain controllers.
- When NETDOM completes this task, restart the computer and verify that the password has been successfully reset. If you reset a domain controller's password, restart the Kerberos Key Distribution Center service and set its startup type to Automatic.
In this tutorial:
- Managing Users, Groups, and Computers
- Managing Domain User Accounts
- Configuring User Account Policies
- Enforcing Password Policy
- Configuring Account Lockout Policy
- Creating Password Settings Objects and Applying Secondary Settings
- Understanding User Account Capabilities, Privileges, and Rights
- Assigning User Rights
- Creating and Configuring Domain User Accounts
- Configuring Account Options
- Configuring Profile Options
- Troubleshooting User Accounts
- Implementing and Creating Preconfigured Profiles
- Configuring Local User Profiles
- Implementing Mandatory User Profiles
- Managing User Data
- Using Offline Files
- Configuring Offline Files on Clients
- Maintaining User Accounts
- Moving User Accounts
- Resetting a User's Domain Password
- Creating a User Account Password Backup
- Managing Groups
- Understanding the Scopes of Groups
- Creating a Group
- Creating group accounts at the command line
- Modifying Groups
- Managing Computer Accounts
- Moving a Computer Account
- Configuring Properties of Computer Accounts
- Troubleshooting Computer Accounts