HOW TO: Pre-stage Windows 2000 Computers in Active Directory (283771)

SUMMARY

This article describes how to pre-stage computer names for Windows 2000-based computers, as you can in Microsoft Windows NT 4.0, to allow only those computer names to be added to Active Directory.

back to the top

Locate Computer Accounts

To pre-stage computers in a Windows 2000-based domain, you must locate those computer accounts in an organizational unit other than the default container. To do this, follow these steps:

1. Open the default domain controllers policy.
2. Click Computer Configuration.
3. Click Windows Settings.
4. Click Security Settings.
5. Click User Rights Assignment.
6. Double-click Add Workstation to Domain.
7. Click Define these policy settings.
8. Verify that Authenticated users is selected in the Define these policy settings box.
9. Click OK to make the setting active. This allows authenticated users to add workstations to the domain.

After you complete the steps above, you can pre-stage computer accounts in any organizational unit other than the default organizational unit, provided that authenticated users can read from and write to that organizational unit's objects.

back to the top

Remove Write Permissions of Authenticated Users from the Default Computer

It is a good idea to remove Write permissions from the default Computers location for authenticated users. To do this:

1. Right-click the Computers container, click View, and then click Advanced features.
2. Right-click the Computers container, and then click Properties.
3. On the Security tab, click Authenticated users.
4. Remove the Allow Write property. Or, for greater security, remove all of the "Allow" security rights.
5. Click Apply, and then click OK to apply the new security restrictions on the default Computers container.

back to the top