Rights Needed for Remote Installation Server to Create Machine Accounts (224294)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q224294

SUMMARY

The Remote Installation service (RIS) needs to create a Machine Account object (MAO) in the domain in order for a remote installation server to finish setting up a client.

For pre-staged or "known" clients that already have a machine account created, certain rights need to be granted to allow users to install.

The user who logs on using the Client Installation Wizard (CIW) is the one whose credentials are used to create the machine account, so the rights on the default container that will hold the machine account need to be modified to grant these rights.

MORE INFORMATION

By default, RIS places all newly created MA0s in the Computers container. This behavior can be modified by editing the properties of the RIS server using the Active Directory Users and Computers snap-in. In this example, the Computers container is discussed.

NOTE: To view or change the security attributes of an object using this snap-in, you need to change your view to Advanced Features by clicking it on the View menu.

Available Options

  • Users can create their own machine accounts (Low security)

    If this option is selected, modify the security on the container that will hold the new MA0s to include an Access Control Entry (ACE) for the user (or group) allowing the Create All Child Objects permission. Because the creator of this object becomes the owner, he or she has full control on this object only, and no one else in the container. This also allows the user to reinstall the system (if required) without administrator assistance.
  • All machine accounts are pre-staged. (High security)

    Pre-staged systems are those for which the MAO is created ahead of time in preparation for a user installing the system.
The following additional security items need to be placed on the Computer object itself, not the Container object (Computers):
  • User cannot re-install the system

    The user requires "Read all Properties" and "Write all Properties" rights on the computer object.
  • User can re-install the system

    The user requires "Read all Properties," "Write all Properties," and "Reset and Change Password" rights on the computer object.
Modification Type:MajorLast Reviewed:11/3/2003
Keywords:kbenv kbinfo KB224294
©2003 Microsoft Corporation. All rights reserved.