DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 320187 - Last Review: October 30, 2006 - Revision: 3.3

This article was previously published under Q320187
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center (http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000) is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy (http://support.microsoft.com/lifecycle/) .
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center (http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000) is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy (http://support.microsoft.com/lifecycle/) .

On This Page

SUMMARY

A computer account is an account that is created by a domain administrator. The computer account uniquely identifies the computer on the domain. The Windows computer account matches the name of the computer joining the domain. This article explains how to manage computer accounts in Active Directory.

How To Manage Computer Accounts

Add a Computer Account

To perform this procedure, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the container in which you want to add the computer.
  3. Right-click Computers or the container in which you want to add the computer, point to New, and then click Computer.
  4. Type the computer name.IMPORTANT: The Default Domain Policy settings allow only members of the Domain Admins group to add a computer account to a domain. Click Change to specify a different user or group that can add this computer to the domain.

    NOTES:
    • To view or change the full computer name of a computer and the domain that a computer belongs to, right-click My Computer on the desktop, click Properties, and then click the Network Identification tab.
    • There are two additional ways to give a user or group permission to add a computer to the domain: use a Group Policy object to grant the right Add computer user, or, for the organizational unit in which you want to allow them to create computer objects, grant the user or group the permission to create computer objects.
    • If the computer that is using the account that you are creating is running a version of Windows earlier than 2000, click to select the Assign this computer account as a pre-Windows 2000 computer check box.
    • The Assign this computer account as a pre-Windows 2000 computer check box assigns a password that is based on the new computer name. If you do not select this check box, you are assigned a random password.
    • If you intend to use the computer with the newly created account as a backup computer for a domain controller, click Assign this computer account as a backup domain controller.
To add a computer account by using a command, type the following at a command prompt, and then press ENTER
dsadd computer ComputerDN
where ComputerDN the distinguished name of the computer you want to add. The distinguished name specifies the directory location. To view the complete syntax for this command, at a command prompt, type dsadd computer /?.

NOTE: To modify the properties of a computer account, use the dsmod computer command.

Add a Computer Account to a Group

To perform this procedure, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, under the domain node, click Computers, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Properties.
  4. On the Member Of tab, click Add.
  5. Click the group to which you want to add the computer, and then click Add.
    Or, to add the computer to more than one group, press CTRL and click the groups to which you want to add the computer, and then click Add.NOTES:
    • Adding a computer to a group allows you to grant permissions to all of the computer accounts in that group and to filter Group Policy settings on all accounts in that group.
    • To add a computer to a group, you can also drag the computer to a specific group.
To add a computer account to a group by using a command, type the following at a command prompt, and then press ENTER
dsmod group GroupDN -addmbr ComputerDN
where ComputerDN the distinguished name of the computer you want to add (the distinguished name specifies the directory location), and GroupDN specifies the distinguished names of the group object to which you want to add the computer object. To view the complete syntax for this command, at a command prompt, type dsmod group /?.

Delete a Computer Account

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Delete.

Find a Computer Account

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. If you want to search the entire domain, right-click the domain node in the console tree, and then click Find.
    Or, if you know which organizational unit the computer is in, right-click the organizational unit in the console tree, and then click Find.
  3. In Find, click Computers.
  4. In Name, type the name of the computer you want to find.
  5. To find only domain controllers, click Domain Controller in Role.
    Or, to find only workstations and servers (not domain controllers), click Workstations and Servers in Role.
  6. Click Find Now.NOTE: Click the Advanced tab for more powerful search options.

Manage a Remote Computer

NOTE: To perform this task, you do not have to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Manage.

    Computer Management starts. From Computer Management, you can administer remote computers. You must have administrative credentials on the local computer to view certain information or to modify computer properties by using Computer Management. NOTE:

Modify Computer Account Properties

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Properties.

Move a Computer Account

To perform this procedure, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Move.
  4. In the Move dialog box, click the domain node.
  5. Click the folder to which you want to move the computer, and then click OK.NOTES:
    • Members of the Account Operators group can move computer accounts to organizational units but not to default containers such as Builtin or Computers. However, Account Operators cannot move computer accounts into the Domain Controllers organizational unit but can move computer accounts from the Domain Controllers organizational unit.
    • Active Directory Users and Computers cannot move computer accounts between domains. To move a computer account between domains use Movetree, one of the Active Directory support tools.

Reset a Computer Account

To perform this procedure, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, under the domain node, click Computers, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Reset Account.NOTE: Resetting a computer account breaks that computer's connection to the domain and requires it to rejoin the domain.
To reset a computer account using a command line, type the following at a command prompt, and then press ENTER
dsmod computer ComputerDN -reset
where ComputerDN specifies the distinguished names of one or more computer objects that you want to reset. To view the complete syntax for this command, at a command prompt, type dsmod computer /? .

Turn Off a Computer Account

To perform this procedure, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Disable Account.NOTE: Turning off a computer account breaks that computer's connection with the domain and that computer will not be able to authenticate to the domain.
To turn off a computer account by using a command, type the following at a command prompt, and then press ENTER
dsmod computer ComputerDN -disabled yes
where ComputerDN specifies the distinguished names of the computer object that you want to disable. To view the complete syntax for this command, at a command prompt, type dsmod computer /? .

Turn On a Computer Account

To perform this procedure, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Computers under the domain node, or click the folder in which the computer is located.
  3. In the details pane, right-click the computer, and then click Enable Account.
To turn on a computer account by using a command, type the following at a command prompt, and then press ENTER
dsmod computer ComputerDN -disabled no
Where ComputerDN specifies the distinguished names of the computer object that you want to disable. To view the complete syntax for this command, at a command prompt, type dsmod computer /? .

Allow a Computer to Use a Different DNS Name

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click Active Directory Users and Computers, and then click Connect to Domain.
  3. In Domain, type the domain name or click Browse to find the domain in which you want to allow computers to use different DNS names, and then click OK.
  4. Right-click Active Directory Users and Computers, point to View, and then click Advanced Features.
  5. Right-click the name of the domain, and then click Properties.
  6. Click the Security tab, click Add, click the Self group, click Add, and then click OK.
  7. Click Advanced, click Self, and then click View/Edit.
  8. On the Properties tab, click ComputerObjects in Apply onto.
  9. Under Permissions, click Write to DNSHostName, and then click to select the Allow check box.Caution: By modifying default security in this way, there is a chance that a computer joined to the selected domain could be operated by a malicious user and may be able to advertise itself under a different name through the service principal name attribute.

    Note: This procedure also allows computers to have DNS host names longer than 15 bytes.

APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
Keywords: 
kbhowto kbhowtomaster KB320187
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support