Enhanced Security Joining or Resetting Machine Account in Windows 2000 Domain

ID: Q238793

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server

SUMMARY

The process of creating a machine account has been enhanced in Windows 2000 to provide a more secure environment. When a new computer object is created, the Administrator can set which user or group has permissions to join the computer to the domain. By default, this is set to the Domain Admins group. By changing this information from the default, you are changing the security permissions on the computer object by giving the user or group Reset Password permission. When you join a Windows 2000-based workstation or server to the domain, you are prompted for a password. You must supply the user name and password for an account that has permission to add the computer to the domain.

In Microsoft Windows NT 4.0, after the Administrator creates a machine account, anyone can add the account to the domain. This addition to the creation process increases network security.

The following section of this article describes how to create a machine account in Windows 2000 and to join the domain from a Windows 2000 client.


MORE INFORMATION

The following example demonstrates how to create a global group named Installers and add a computer named ComputerA, and how to give the Installers group permission to add the computer to the Microsoft.com domain.

Creating the Installers Group

  1. Start Active Directory Users and Computers by clicking Start, pointing to Programs, pointing to Administrative Tools, and then clicking Active Directory Users and Computers.


  2. Right-click the container in which the group will reside (for this example, right-click the Users folder), point to New, and then click Group.


  3. In the Name of New Group box, type Installers.


  4. Leave the default option settings: Group Type; Security, and Group Scope; Global.


  5. Click OK.


Creating the ComputerA Computer Object

  1. Start Active Directory Users and Computers by clicking Start, pointing to Programs, pointing to Administrative Tools, and then clicking Active Directory Users and Computers.


  2. Right-click the container in which the computer will reside (for this example, right-click the Computers folder, point to New, and then click Computer.


  3. In the Computer Name box, type ComputerA.


  4. Click Change next to This computer can be joined to a domain by.


  5. Click the user or group. For this example, click the Installers group.


  6. Click OK.


By default, users or groups in the Installers global group can join the Windows 2000 client to a Windows 2000 domain.

Viewing Security on the Computer Object

  1. Start Active Directory Users and Computers by clicking Start, pointing to Programs, pointing to Administrative Tools, and then clicking Active Directory Users and Computers.


  2. On the View menu, click Advanced Features.


  3. Click the Computers folder or the container containing the computer.


  4. Right-click ComputerA, and then click Properties.


  5. Click the Security tab.


Joining a Workstation or Member Server to a Domain

The member server or workstation must be configured correctly so that it has full network connectivity and name resolution.
  1. Log on to the workstation or member server with an account that has local Administrative privileges.


  2. Right-click My Computer, and then click Properties.


  3. On the Network Identification tab, click Properties.


  4. Click Domain, and then type the domain name (in this example, Microsoft).


  5. Click OK. You are then prompted for the user name and password for an account that has rights to join the domain (for example, a user in the Installers global group).


NOTE: You can also use the Network ID button, which starts the Network Identification Wizard. You can then create the machine account in the domain, as well as creating a local user account on the computer.

Manually Changing Permission on a Computer Object

If you need to give a user or group the right to add a computer to the domain after the computer account has been created, you can manually set the security permissions for the computer object by following these steps:
  1. Start Active Directory Users and Computers by clicking Start, pointing to Programs, pointing to Administrative Tools, and then clicking Active Directory Users and Computers.


  2. On the View menu, click Advanced Features.


  3. Open the container in which the computer object resides.


  4. Right-click the computer object, and then click Properties.


  5. Click the Security tab.


  6. Click Add.


  7. Click the user or group you want to add.


  8. Click OK.


By default, this gives the user or group Read and Read Public Information permissions. You can leave these permissions or remove them. You must click to select the Allow check box next to the Reset Password permission.

Additional query words:

Keywords : kbtool ntdomain
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.