Enhanced security joining or resetting machine account in Windows 2000 domain (238793)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q238793

SUMMARY

The process of creating a machine account has been enhanced in Windows to provide a more secure environment. When a new computer object is created, the Administrator can set which user or group has permissions to join the computer to the domain. By default, only members of the Authenticated Users global group have the requisite authority to join computers to a domain. By changing this information from the default, you are changing the security permissions on the computer object by giving the user or group Reset Password permission. When you join a Windows-based workstation or server to the domain, you are prompted for a password. You must supply the user name and password for an account that has permission to add the computer to the domain.

In Microsoft Windows NT 4.0, after the Administrator creates a machine account, anyone can add the account to the domain. This addition to the creation process increases network security.

The following section of this article describes how to create a machine account in Windows and to join the domain from a Windows client.

MORE INFORMATION

The following example demonstrates how to create a global group named Installers and add a computer named ComputerA, and how to give the Installers group permission to add the computer to the Microsoft.com domain.

Creating the Installers group

  1. Start Active Directory Users and Computers by clicking Start, pointing to Programs, pointing to Administrative Tools, and then clicking Active Directory Users and Computers.
  2. Right-click the container in which the group will reside (for this example, right-click the Users folder), point to New, and then click Group.
  3. In the Name of New Group box, type Installers.
  4. Leave the default option settings: Group Type; Security, and Group Scope; Global.
  5. Click OK.

Creating the ComputerA computer object

  1. Start Active Directory Users and Computers by clicking Start, pointing to Programs, pointing to Administrative Tools, and then clicking Active Directory Users and Computers.
  2. Right-click the container in which the computer will reside (for this example, right-click the Computers folder, point to New, and then click Computer.
  3. In the Computer Name box, type ComputerA.
  4. Click Change next to This computer can be joined to a domain by.
  5. Click the user or group. For this example, click the Installers group.
  6. Click OK.
By default, users or groups in the Installers global group can join the Windows client to a Windows domain.

Viewing security on the computer object

  1. Start Active Directory Users and Computers by clicking Start, pointing to Programs, pointing to Administrative Tools, and then clicking Active Directory Users and Computers.
  2. On the View menu, click Advanced Features.
  3. Click the Computers folder or the container containing the computer.
  4. Right-click ComputerA, and then click Properties.
  5. Click the Security tab.

Joining a workstation or member server to a domain

The member server or workstation must be configured correctly so that it has full network connectivity and name resolution.
  1. Log on to the workstation or member server with an account that has local Administrative privileges.
  2. Right-click My Computer, and then click Properties.
  3. On the Network Identification tab, click Properties.
  4. Click Domain, and then type the domain name (in this example, Microsoft).
  5. Click OK. You are then prompted for the user name and password for an account that has rights to join the domain (for example, a user in the Installers global group).
NOTE: You can also use the Network ID button, which starts the Network Identification Wizard. You can then create the machine account in the domain, as well as creating a local user account on the computer.

Manually changing permission on a computer object

If you need to give a user or group the right to add a computer to the domain after the computer account has been created, you can manually set the security permissions for the computer object by following these steps:
  1. Start Active Directory Users and Computers by clicking Start, pointing to Programs, pointing to Administrative Tools, and then clicking Active Directory Users and Computers.
  2. On the View menu, click Advanced Features.
  3. Open the container in which the computer object resides.
  4. Right-click the computer object, and then click Properties.
  5. Click the Security tab.
  6. Click Add.
  7. Click the user or group you want to add.
  8. Give the user or group the following four permissions:

    Reset Password
    Validated write to DNS host name
    Validated write to service principal name
    Write Account Restrictions

  9. Click OK.
By default, the user or group is only given the Read, Read Public Information, Read Personal Information, and Read Account Restrictions permissions. You must add the other four permissions to enable the user or group to join the computer to the domain.

These permissions are also granted if you add the user or group to the This computer can be joined to a domain by field in the new computer object dialog box.

Modification Type:MinorLast Reviewed:8/31/2006
Keywords:kbinfo KB238793
©2004 Microsoft Corporation. All rights reserved.