Computer Account in Active Directory
A computer account is an Active Directory object that identifies a network computer. The account in Active Directory is associated with a specific hardware device. To identify a specific computer, two processes are required:
- Create a computer account in Active Directory.
- Join a computer to the domain. When you join the domain, the device is associated with the Active Directory computer account.
You can perform these processes in the following ways:
From the computer, edit the System properties to join the domain. The computer contacts the domain controller, and a computer account is created in Active Directory. When you join a domain and create a new computer account in one step, the computer account is added to the Computers built-in folder in Active Directory.
Prior to the computer joining the domain, you can create a computer account for the computer in Active Directory. When the computer joins the domain, the computer is matched to the existing computer account. Use this method to control the location of the computer account in Active Directory.
Offline domain join
During the domain join process, the workstation must communicate with a domain controller. In situations where a network connection does not exist, you can use the offline domain join feature to join the computer to the domain. To perform an offline join:
1. Run Djoin.exe /provision on a computer that can communicate with a domain controller (this computer is called the provisioning computer). This process creates the computer account and generates a text file with information that the joining computer will need.
2. Copy the resulting file to the computer that you want to join to the domain. Run Djoin.exe /requestODJ to insert the file into the Windows directory. When you reboot the computer, it will be joined to the domain. You can also insert the account metadata into an Unattend.xml file and use the file during installation to join the computer to the domain during the install process.
Note: You can only run Djoin.exe on a computer running Windows Server 2008 R2 or Windows 7 (or higher). This means that only computers running this operating system can be joined to the domain offline. By default, Djoin contacts a domain controller running Windows Server 2008 R2, but you can run Djoin with the /downlevel parameter to communicate with a non-Windows 2008 R2 domain controller.
Be aware of the following facts about computer accounts and joining a domain:
- Because the Computers folder is not an OU, you cannot link a GPO to this container, meaning that only Group Policy settings in the domain will apply to these computers. For more control over Group Policy settings for computers or groups of computers, move computer accounts to OUs.
- To control where computer accounts are placed when the computer joins the domain, create computer accounts ahead of time before joining the domain from the workstation.
The following group members can create a computer account:
o Account Operators
o Domain Admins
o Enterprise Admins
- Members of the Authenticated Users group can join up to 10 computers to a domain from a workstation (and create the computer account automatically if it does not already exist). This ability comes from the Add workstations to a domain user right. You can also allow specific users to join specific computers to a domain by selecting The following user or group can join this computer to a domain when creating the computer account.
- You can grant other users permissions to create computer accounts by giving them the Create Computer Objects right over the Active Directory OU. This permission does not have a limit on the number of accounts that can be created. Note: You must grant this right to the domain or specific OUs.
- To join a computer to a domain, you must be a member of the Administrators group on the local computer or be given the necessary rights.
- Use the dsadd and netdom utilities to create computer accounts from a command prompt or a script. Use netdom to rename a computer account. Use netdom join to join a computer to a domain.
- After a computer account is created, you must join the computer to the domain before the computer receives Group Policy settings or before Active Directory receives workstation-specific information.
Each computer has a password that is automatically-generated when the computer joins the domain.
When the computer boots, this password is used to authenticate the computer to the domain. This password is used to establish a secure channel between the computer and the domain controller.
- The password is saved on the local computer and in Active Directory. By default, the password is changed automatically every 30 days.
- If the two passwords become unsynchronized, the computer will not be able to connect to the domain, and you will see an error indicating that the computer failed to authenticate. This problem will also occur if you have rebuilt the computer, or if you are replacing the computer with another one using the same computer account name.
When computer logon fails, reset the computer account. To reset the account, use one of the following methods:
o Run the netdom reset command followed by the computer account name and the domain.
o In Active Directory Users and Computers, right-click the computer account and select Reset Account.
o Create a script in Visual Basic.
After resetting the computer account, you must rejoin the computer to the domain.