Moving from Corporate WAN to Home LAN Causes Validation Problems (228146)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows NT Workstation 3.1
  • Microsoft Windows NT Workstation 3.5
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server 3.1
  • Microsoft Windows NT Server 3.5
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0
This article was previously published under Q228146

SUMMARY

No method exists for logging on to multiple secure Microsoft Windows NT domains or workgroups while moving from location to location with a portable computer. When you take a portable computer away from a secure Microsoft Windows NT domain and reconfigure the computer to log on to a workgroup or secure domain at another location, it is not possible to return to the original secure domain and reconfigure the machine account without administrative rights, or a call to your network administrator. Moving a portable computer from a corporate network to a home network causes machine account problems in a enterprise network.

MORE INFORMATION

Only administrators have the necessary rights to add machine accounts to a domain. Most users will have to ask a domain administrator to return the machine account to the domain. The current design is that only an administrator can change the domain to which a Windows 2000-based or Windows NT-based computer belongs.

If your situation requires users to log on to various domains, you can establish trust relationships between the various domains. If all the domains are in a Windows 2000 tree, the trusts are transitive and there is no special configuration required.

Windows 2000 Active Directory domains allow any authenticated user the right to create up to ten computer accounts in the domain by default. This is a group policy setting that is found in the Domain Controllers container in the following folder:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Add Workstations to Domain Policy

Determines which groups or users can add workstations to a domain. This policy is valid only on domain controllers. By default, any authenticated user has this right and can create up to ten computer accounts in the domain.

Adding a computer account to the domain allows the computer to participate in Active Directory based networking. For example, adding a workstation to a domain allows that workstation to recognize accounts and groups that exist in Active Directory.

The default group that has this right on domain controllers is:
  • Authenticated Users
NOTE: Users that have the "Create Computer Objects" permission on the Active Directory Computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only ten computer accounts. Furthermore, computer accounts created by means of the Add workstations to domain user right have Domain Administrators as the owner of the computer account, while computer accounts created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the add workstation to domain user right, then the computer is added based on the computer container permissions rather than the user right.
Modification Type:MajorLast Reviewed:9/8/2006
Keywords:kbenv kbinfo kbnetwork KB228146
©2004 Microsoft Corporation. All rights reserved.