Section 8.2: Computer Accounts

Computer accounts are created for all Windows NT, Windows 2000, Windows XP, and Windows Server 2003 computers in a domain. Computers running Windows 3.x, Windows 9x, or Windows ME do not have computer accounts and cannot be members of a domain, although a user who has an account in the domain can use it to log on to the domain. Computer accounts provide a means for authenticating and auditing computer access to the network and to domain resources.

A computer account must be created in Active Directory for users to take full advantage of Active Directory features. When a computer account is created, the computer can use advanced authentication processes such as Kerberos authentication and IP security (IPSec) to encrypt IP traffic. The computer also needs a computer account to dictate how auditing is applied and recorded. In addition, a user must have a valid user account, and the user must also log on to the domain from a computer that has a valid computer account to be fully authenticated by Active Directory.

8.2.1: Creating Computer Accounts

When you create a computer account, you can choose the organizational unit (OU) in which to create that account. If a computer joins a domain, the computer account is automatically created in the Computers container, but can be moved to an OU as required.

By default, members of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory can create computer accounts in the Computers container and in new OUs. However, members of the Account Operators group cannot create computer accounts in the Builtin, Domain Controllers, ForeignSecurityPrincipals, LostAndFound, Program Data, System, or Users containers.

To create a computer account by using Active Directory Users and Computers, do the following:

• Click on the START button




• In the console tree, right-click computers or the container in which you want to add the computer

• On the pop-up menu, point to NEW

• Then click COMPUTER

• Type the computer name in the computer name box

• Select the appropriate options

• Then click NEXT

• In the Managed dialog box, click next

• Then click FINISH

You can also create a computer account by using the dsadd command-line utility. The syntax to create a computer account by using the dsadd command-line utility is:

dsadd computer <computer_DN> [-samid <SAM_name>] [-desc <description>] [-loc <location] [-memberof <group_name ...>]

[{-s <server> | -d <domain>}] [-u <user_name>] [-p {<password> | *}] [-q] [{-uc | -uco | -uci}]

The parameters for the dsadd command are listed in Table 8.1.

Table 8.1: The Dsadd Command-line Parameters

Parameter Description
computer <computer_DN> Specifies the distinguished names (DNs) of the computer account you want to create.
-samid <SAM_name> Sets the computer's SAM account name to the value specified in <SAM_name>.
-desc <description> Sets the computer account description to MCSE 70-292 <description>.
-loc <location> Sets the computer location to <location>.
-memberof <group_name ...> Makes the computer a member of the group(s) listed by their distinguished name (DN) in <group_ name ...>. If multiple groups are listed, their distinguished name must be separated by a space.
-s <server> | -d <domain> -s <server> connects to the domain controller with the specified <server> name, while -d <domain> connects to a domain controller in the specified <domain>.
-u <user_name> Specifies the user account to use when connecting.
-p{ <password> | * } -p <password> specifies the password to be used with the user account to use when connecting while -p * specifies that the command prompt the user for a password when connecting.
-q Sets the command to run in quiet mode. In this mode, all command output is suppressed to the standard output.
-uc Specifies that the input from or output to pipe is formatted in Unicode.
-uco Specifies that the output to pipe or file is formatted in Unicode.
-uci Specifies that the input to pipe or file is formatted in Unicode.