Machine Account Security After Upgrade from Windows NT 4.0

ID: Q222582

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server

SUMMARY

This article describes the security on domain machine accounts before and after an upgrade to Windows 2000. This information can be used in troubleshooting permissions on machine account objects in the Active Directory and determining which user created the machine account before the upgrade.


MORE INFORMATION

The Discretionary ACL (DACL) contains Access Control Entries (ACE) that define permissions on a given object. In Microsoft Windows NT 4.0, when a machine account is created, the domain Administrators local group becomes the owner of the machine account. The user who created the machine account is stored as part of its data, and the DACL on the machine account includes limited rights for the user (such as deleting the account).

When an upgrade to Windows 2000 is performed, the following changes occur on each computer account:

  • A machine account object is created in the default Computers container.


  • The user who created the machine account becomes the owner of that account object in the Active Directory.


  • The DACL on the machine account is reset to the default that is defined for objects of the Computer class in the schema. This DACL includes an entry for Creator Owner, and when viewed with ACL Editor, displays the name of the appropriate user. Note that other ACEs can be present if users or groups are added or permissions changed on parent containers in the Active Directory, resulting in additional inherited permissions.

    Self:
    Create All Child Objects
    Delete All Child Objects
    Authenticated Users:
    Read
    Read Public Information
    System:
    (Full Control)
    Creator Owner:
    (Full Control)
    Domain Administrators:
    (Full Control)
    Cert Publishers:
    (no permissions)
    Enterprise Administrators (inherited permission):
    Read
    Write
    Create All Child Objects
    Change Password
    Receive As
    Reset Password
    Send As
    Read Public Information
    Write Public Information
    Account Operators:
    Full Control
    Print Operators:
    (no permissions)
    Everyone:
    Change Password


The default DACLs listed above also apply to new machine accounts.

Additional query words:

Keywords : kbnetwork ntdomain
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.