Machine Account Security After Upgrade from Windows NT 4.0 (222582)

MORE INFORMATION

The Discretionary ACL (DACL) contains Access Control Entries (ACE) that define permissions on a given object. In Microsoft Windows NT 4.0, when a machine account is created, the domain Administrators local group becomes the owner of the machine account. The user who created the machine account is stored as part of its data, and the DACL on the machine account includes limited rights for the user (such as deleting the account).

When an upgrade to Windows 2000 is performed, the following changes occur on each computer account:

• A machine account object is created in the default Computers container.
• The user who created the machine account becomes the owner of that account object in the Active Directory.
• The DACL on the machine account is reset to the default that is defined for objects of the Computer class in the schema. This DACL includes an entry for Creator Owner, and when viewed with ACL Editor, displays the name of the appropriate user. Note that other ACEs can be present if users or groups are added or permissions changed on parent containers in the Active Directory, resulting in additional inherited permissions.
  
  Self:
  

  Create All Child Objects
  Delete All Child Objects
  

  Authenticated Users:
  

  Read
  Read Public Information
  

  System:
  

  (Full Control)

  Creator Owner:
  

  (Full Control)

  Domain Administrators:
  

  (Full Control)

  Cert Publishers:
  

  (no permissions)

  Enterprise Administrators (inherited permission):
  

  Read
  Write
  Create All Child Objects
  Change Password
  Receive As
  Reset Password
  Send As
  Read Public Information
  Write Public Information
  

  Account Operators:
  

  Full Control

  Print Operators:
  

  (no permissions)

  Everyone:

  Change Password

The default DACLs listed above also apply to new machine accounts.