DOCUMENT:Q228146 10-AUG-2001 [winnt] TITLE :Moving from Corporate WAN to Home LAN Causes Validation Problems PRODUCT :Microsoft Windows NT PROD/VER:WINDOWS:2000; winnt:3.1,3.5,3.51,4.0 OPER/SYS: KEYWORDS:kbenv kbnetwork ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation versions 3.1, 3.5, 3.51, 4.0 - Microsoft Windows 2000 Server - Microsoft Windows 2000 Professional - Microsoft Windows NT Server versions 3.1, 3.5, 3.51, 4.0 ------------------------------------------------------------------------------- SUMMARY ======= No method exists for logging on to multiple secure Microsoft Windows NT domains or workgroups while moving from location to location with a portable computer. When you take a portable computer away from a secure Microsoft Windows NT domain and reconfigure the computer to log on to a workgroup or secure domain at another location, it is not possible to return to the original secure domain and reconfigure the machine account without administrative rights, or a call to your network administrator. Moving a portable computer from a corporate network to a home network causes machine account problems in a enterprise network. MORE INFORMATION ================ Only administrators have the necessary rights to add machine accounts to a domain. Most users will have to ask a domain administrator to return the machine account to the domain. The current design is that only an administrator can change the domain to which a Windows 2000-based or Windows NT-based computer belongs. If your situation requires users to log on to various domains, you can establish trust relationships between the various domains. If all the domains are in a Windows 2000 tree, the trusts are transitive and there is no special configuration required. Windows 2000 Active Directory domains allow any authenticated user the right to create up to ten computer accounts in the domain by default. This is a group policy setting that is found in the Domain Controllers container in the following folder: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Add Workstations to Domain Policy --------------------------------- Determines which groups or users can add workstations to a domain. This policy is valid only on domain controllers. By default, any authenticated user has this right and can create up to ten computer accounts in the domain. Adding a computer account to the domain allows the computer to participate in Active Directory based networking. For example, adding a workstation to a domain allows that workstation to recognize accounts and groups that exist in Active Directory. The default group that has this right on domain controllers is: - Authenticated Users NOTE: Users that have the "Create Computer Objects" permission on the Active Directory Computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only ten computer accounts. Furthermore, computer accounts created by means of the Add workstations to domain user right have Domain Administrators as the owner of the computer account, while computer accounts created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the add workstation to domain user right, then the computer is added based on the computer container permissions rather than the user right. For additional information about computer accounts in Windows 2000, please see the following article in the Microsoft Knowledge Base: Q222525 Automating the Creation of Computer Accounts in Windows 2000 Additional query words: ====================================================================== Keywords : kbenv kbnetwork Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT351search kbWinNT350search kbWinNT400search kbWinNTW350 kbWinNTW350search kbWinNTW351search kbWinNTW351 kbwin2000Serv kbWinNTW310 kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWinNTS351 kbWinNTS350 kbWinNTS310 kbwin2000ServSearch kbwin2000Search kbwin2000ProSearch kbwin2000Pro kbWinNTS351search kbWinNTS350search kbWinNTS310search kbWinNT310Search kbWinNTW310Search Version : WINDOWS:2000; winnt:3.1,3.5,3.51,4.0 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.