Computer accounts are managed and configured using Active Directory Users And Computers. By default, computer accounts are stored in the Computers container and domain controller accounts are stored in the Domain Controllers container. Computer accounts can also be stored in other containers, such as the OUs you've created. Computers may be joined and removed from a domain using Computer Management or the System tool in Control Panel.
When you create a new computer account in your domain, you must be a member of the Account Operators, Domain Admins, or Enterprise Admins groups in Active Directory. To create a new computer account, start Active Directory Users And Computers. Right-click the container in which you want to create the new computer account, point to New, and then select Computer. This starts the New Object–Computer Wizard shown in Figure 37-18.
Type a computer name. By default, only members of Domain Admins can join computers to the domain. To allow a different user or group to join the computer to the domain, click Change, and then use the Select User Or Group dialog box to select a user or group account that is authorized to join the computer to the domain. If Windows NT systems can use this account, select Assign This Computer Account As A Pre–Windows 2000 Computer. Afterward, click Next twice, and then click Finish.
When you join a computer to a domain, you must supply the credentials for creating a new computer account in Active Directory. The new computer will be placed in the default Computer container in Active Directory. Most of the time, there is a dialog box for joining a computer to the domain when you install or set up Windows 2000 or Windows Server 2003 the first time. You must be a member of the Administrators group on the local computer to join it to the domain. Windows Server 2003 allows any authenticated user to join workstations to the domain—up to a total of 10. To join a server to a domain, you must be a member of the Account Operators, Domain Admins, or Enterprise Admins group.
To join a server or workstation to a domain, follow these steps:
Start the System utility. On the desktop, right-click My Computer, and then select Properties. Alternatively, in Control Panel, select or double-click System.
On the Computer Name tab, click Change.
Select Domain and type the name of the domain to which the computer should join. Click OK.
When prompted, type the name and password of a domain account that has the permissions to create a computer account in Active Directory or join the computer to the domain, or both. Click OK.
The computer is joined to the domain, and a new computer account is created as necessary. If the changes are successful, you'll see a confirmation dialog box.
Troubleshooting: The computer won't join the domain
If there are problems joining the computer to the domain, there may be an existing computer in the domain with the same name. In this case, you would repeat this procedure and change the computer name. The computer must also have Transmission Control Protocol/ Internet Protocol (TCP/IP) properly configured. If you suspect a problem with the TCP/IP configuration, check the configuration settings by typing ipconfig /all at the command prompt.
A corporation may have organizational changes requiring you to move a computer account. The computer account may be moved from one container to another. Plan and test moving the computer account to ensure that possible conflicts in permissions or rights don't occur. You can use the Effective Permissions tool in planning mode to simulate moving computer accounts and to determine if there could be conflicts.
To move a computer account, you can drag and drop the computer entry from one container to another within the Details pane of Active Directory Users And Computers. Alternatively, you can right-click the computer account name, select Move, and then select the container to which you want to move the account using the Move dialog box. You cannot move computer accounts across domains.
Security issues, such as malicious viral attacks or rogue user actions may require you to temporarily disable a computer account. Perhaps a critical software bug has caused an individual computer to repeatedly try to receive authentication from a domain controller. You disable a computer account to prevent it from authenticating until you fix the problem.
You disable a computer account by right-clicking it in Active Directory Users And Computers and selecting Disable Account. This prevents the computer from logging on to the domain but does not remove the related account from Active Directory.
When you delete a computer account using Active Directory Users And Computers, you cannot just re-create a new computer account with the same name and access. The SID of the original computer account will be different from that of the new account.
To remove a computer account, right-click the computer account name in Active Directory Users And Computers, and then select Delete.
Managing a remote computer is a common task when troubleshooting server or workstation problems. You see and configure computer management settings such as shares, system settings, services and applications, and the event log of the remote computer. Care should be taken when changing settings or re-starting services on remote machines.
Right-click the computer account name in Active Directory Users And Computers, and then select Manage to bring up the Microsoft Management Console (MMC) for that computer.
Computer accounts, like user accounts, have passwords. Unlike user account passwords, computer account passwords are managed automatically. Sometimes, however, the password can get out of sync or there can be another issue that doesn't allow the computer account to be authenticated in the domain. If this happens, the computer account can no longer access resources in the domain and you should reset the computer account.
To reset a computer account, right-click the computer account name in Active Directory Users And Computers, and then select Reset Account.
As with users and groups, there are many configuration tabs you can select when you are modifying a computer account. Right-click the computer name in Active Directory Users And Computers, and then select Properties. The following tabs are available:
Delegation Allows you to configure delegation for the computer account as discussed in the section entitled "Configuring the Delegated Service or Computer Account". This tab is available only when the domain is operating in Windows Server 2003 functional level.
General Shows the computer's name and role and allows you to set a description. When the domain is operating in Windows 2000 Mixed or Windows 2000 Native functional level, you configure the computer for delegation by selecting the Trust This Computer For Delegation option.
Location Allows you to set a location for the computer.
Managed By Allows you to specify the person or group responsible for the computer.
Member Of Allows you to configure the group membership for the computer.
Object Displays the canonical name of the user object with dates and Update Sequence Numbers. This tab is visible only in Advanced view.
Operating System Displays the operating system version and service pack used by the computer.
Remote Install Allows you to set the unique identifier (globally unique identifier [GUID]/universal unique identifier [UUID]) and the remote installation server to use for a managed computer. This tab is available only for a managed computer.
Security Used to configure advanced permissions for users and groups that can access this computer object in Active Directory. This tab is visible only in Advanced view.
Dial-In Used to set the computer's dial-in or VPN access controls as well as callback, IP address, and routing options for dial-in or VPN or both.
As you can see, much of the data for computer account properties is informational. The data you may need to change is probably in the Security tab area, where you can add users or groups to the account and change permissions for users and groups that already exist or that you have added. You may also have to change the dial-in configuration as well as allow or deny dial-in access using the computer.