HOW TO: Manage Computer Accounts in Active Directory in Windows 2000 (320187)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q320187

IN THIS TASK

SUMMARY

A computer account is an account that is created by a domain administrator. The computer account uniquely identifies the computer on the domain. The Windows computer account matches the name of the computer joining the domain. This article explains how to manage computer accounts in Active Directory.

back to the top

How To Manage Computer Accounts

Add a Computer Account

To perform this procedure, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the container in which you want to add the computer.
  3. Right-click Computers or the container in which you want to add the computer, point to New, and then click Computer.
  4. Type the computer name.IMPORTANT: The Default Domain Policy settings allow only members of the Domain Admins group to add a computer account to a domain. Click Change to specify a different user or group that can add this computer to the domain.

    NOTES:
    • To view or change the full computer name of a computer and the domain that a computer belongs to, right-click My Computer on the desktop, click Properties, and then click the Network Identification tab.
    • There are two additional ways to give a user or group permission to add a computer to the domain: use a Group Policy object to grant the right Add computer user, or, for the organizational unit in which you want to allow them to create computer objects, grant the user or group the permission to create computer objects.
    • If the computer that is using the account that you are creating is running a version of Windows earlier than 2000, click to select the Assign this computer account as a pre-Windows 2000 computer check box.
    • The Assign this computer account as a pre-Windows 2000 computer check box assigns a password that is based on the new computer name. If you do not select this check box, you are assigned a random password.
    • If you intend to use the computer with the newly created account as a backup computer for a domain controller, click Assign this computer account as a backup domain controller.
To add a computer account by using a command, type the following at a command prompt, and then press ENTER

dsadd computer ComputerDN

where ComputerDN the distinguished name of the computer you want to add. The distinguished name specifies the directory location. To view the complete syntax for this command, at a command prompt, type dsadd computer /?.

NOTE: To modify the properties of a computer account, use the dsmod computer command.

back to the top

Add a Computer Account to a Group

To perform this procedure, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, under the domain node, click Computers, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Properties.
  4. On the Member Of tab, click Add.
  5. Click the group to which you want to add the computer, and then click Add.
    Or, to add the computer to more than one group, press CTRL and click the groups to which you want to add the computer, and then click Add.NOTES:
    • Adding a computer to a group allows you to grant permissions to all of the computer accounts in that group and to filter Group Policy settings on all accounts in that group.
    • To add a computer to a group, you can also drag the computer to a specific group.
To add a computer account to a group by using a command, type the following at a command prompt, and then press ENTER

dsmod group GroupDN -addmbr ComputerDN

where ComputerDN the distinguished name of the computer you want to add (the distinguished name specifies the directory location), and GroupDN specifies the distinguished names of the group object to which you want to add the computer object. To view the complete syntax for this command, at a command prompt, type dsmod group /?.

back to the top

Delete a Computer Account

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Delete.
back to the top

Find a Computer Account

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. If you want to search the entire domain, right-click the domain node in the console tree, and then click Find.
    Or, if you know which organizational unit the computer is in, right-click the organizational unit in the console tree, and then click Find.
  3. In Find, click Computers.
  4. In Name, type the name of the computer you want to find.
  5. To find only domain controllers, click Domain Controller in Role.
    Or, to find only workstations and servers (not domain controllers), click Workstations and Servers in Role.
  6. Click Find Now.NOTE: Click the Advanced tab for more powerful search options.
back to the top

Manage a Remote Computer

NOTE: To perform this task, you do not have to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Manage.

    Computer Management starts. From Computer Management, you can administer remote computers. You must have administrative credentials on the local computer to view certain information or to modify computer properties by using Computer Management. NOTE:
back to the top

Modify Computer Account Properties

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Properties.
back to the top

Move a Computer Account

To perform this procedure, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Move.
  4. In the Move dialog box, click the domain node.
  5. Click the folder to which you want to move the computer, and then click OK.NOTES:
    • Members of the Account Operators group can move computer accounts to organizational units but not to default containers such as Builtin or Computers. However, Account Operators cannot move computer accounts into the Domain Controllers organizational unit but can move computer accounts from the Domain Controllers organizational unit.
    • Active Directory Users and Computers cannot move computer accounts between domains. To move a computer account between domains use Movetree, one of the Active Directory support tools.
back to the top

Reset a Computer Account

To perform this procedure, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, under the domain node, click Computers, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Reset Account.NOTE: Resetting a computer account breaks that computer's connection to the domain and requires it to rejoin the domain.
To reset a computer account using a command line, type the following at a command prompt, and then press ENTER

dsmod computer ComputerDN -reset

where ComputerDN specifies the distinguished names of one or more computer objects that you want to reset. To view the complete syntax for this command, at a command prompt, type dsmod computer /? .

back to the top

Turn Off a Computer Account

To perform this procedure, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Disable Account.NOTE: Turning off a computer account breaks that computer's connection with the domain and that computer will not be able to authenticate to the domain.
To turn off a computer account by using a command, type the following at a command prompt, and then press ENTER

dsmod computer ComputerDN -disabled yes

where ComputerDN specifies the distinguished names of the computer object that you want to disable. To view the complete syntax for this command, at a command prompt, type dsmod computer /? .

back to the top

Turn On a Computer Account

To perform this procedure, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Enable Account.
To turn on a computer account by using a command, type the following at a command prompt, and then press ENTER

dsmod computer ComputerDN -disabled no

Where ComputerDN specifies the distinguished names of the computer object that you want to disable. To view the complete syntax for this command, at a command prompt, type dsmod computer /? .

back to the top

Allow a Computer to Use a Different DNS Name

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click Active Directory Users and Computers, and then click Connect to Domain.
  3. In Domain, type the domain name or click Browse to find the domain in which you want to allow computers to use different DNS names, and then click OK.
  4. Right-click Active Directory Users and Computers, point to View, and then click Advanced Features.
  5. Right-click the name of the domain, and then click Properties.
  6. Click the Security tab, click Add, click the Self group, click Add, and then click OK.
  7. Click Advanced, click Self, and then click View/Edit.
  8. On the Properties tab, click ComputerObjects in Apply onto.
  9. Under Permissions, click Write to DNSHostName, and then click to select the Allow check box.Caution: By modifying default security in this way, there is a chance that a computer joined to the selected domain could be operated by a malicious user and may be able to advertise itself under a different name through the service principal name attribute.

    Note: This procedure also allows computers to have DNS host names longer than 15 bytes.
back to the top
Modification Type:MajorLast Reviewed:11/19/2003
Keywords:kbhowto kbHOWTOmaster KB320187 kbAudITPro
©2003 Microsoft Corporation. All rights reserved.