Creating Computer Accounts

Previous page
Table of content
Next page

Microsoft® Windows® 2000 Scripting Guide

microsoft windows 2000 scripting guide

« Previous | Next »   

For a computer in your organization to have full access to Active Directory resources, it must have a corresponding computer account in Active Directory. Computers that do not have accounts in Active Directory and do not belong to a domain have limited access to resources and cannot be managed by using Group Policy or software installation and maintenance.

Table 9.3 lists the Microsoft Windows operating systems and indicates whether a computer running a given operating system requires a computer account in Active Directory.

Table 9.3   Operating Systems and Computer Account Requirements

Operating SystemComputer Account Required
Windows XP Home Edition  
Windows XP Professional
table bullet
Windows XP 64-Bit Edition
table bullet
Windows 2000 Professional
table bullet
Windows 2000 Server
table bullet
Windows 2000 Advanced Server
table bullet
Windows 2000 Datacenter Server
table bullet
Windows NT Server 4.0
table bullet
Windows NT Server 4.0, Terminal Server Edition
table bullet
Windows NT Server 4.0, Enterprise Edition
table bullet
Windows NT Workstation 4.0
table bullet
Windows NT Server 3.51
table bullet
Windows NT Workstation 3.51
table bullet
Windows Millennium Edition  
Windows 98 
Windows 95  
Windows 3.1 

Computer accounts can be created programmatically by using ADSI (and, more specifically, by using the IADs interface). To create a large number of computer accounts in a single operation, you can write a script that reads relevant information (computer name, computer location, and so forth) from a text file or a database, and then creates an account for each new computer. Using this kind of script is much quicker than manually creating each computer account by using Active Directory Users and Computers.

Note

  • For information about reading data from a database, see "Creating Enterprise Scripts" in this book.

When you create a computer account, you need to specify only the common name and the Security Accounts Manager (SAM) account name; the other mandatory attributes are automatically created for you.

However, if you specify only those two items, the account will initially be disabled. For a computer account to be enabled, you must also set the appropriate flags in the userAccountControl attribute. The userAccountControl attribute determines a number of different account attributes, including whether an account is enabled or disabled and whether an account requires a password. By setting two flags (ADS_UF_PASSWD_NOTREQD and ADS_UF_WORKSTATION_TRUST_ACCOUNT), the account will be enabled upon creation.

Setting Flags in the userAccountControl Attribute

For the purposes of this chapter, consider the userAccountControl attribute to be a control panel with a series of switches. These switches can be set to on or off. If a switch is set to on, the attribute controlled by that switch (the flag within the userAccountControl attribute) is also on. For example, if the ADS_UF_WORKSTATION_TRUST_ACCOUNT switch is on, that means that the account is a trusted workstation account. If the switch is off, the account is not a trusted workstation account. For a computer account to be enabled, both the ADS_UF_PASSWD_NOTREQD and ADS_UF_WORKSTATION_TRUST_ACCOUNT switches must be on.

Each flag within the userAccountControl attribute is assigned a value; for example, ADS_UF_PASSWD_NOTREQD is assigned the value &h0020 and ADS_UF_WORKSTATION_TRUST_ACCOUNT is assigned the value &h1000. These values correspond to the switches in the hypothetical control panel. When the userAccountControl attribute is assigned the value &h0020, it effectively flips the switch for ADS_UF_PASSWD_NOTREQD. Likewise, assigning the value &h1000 flips the switch for ADS_UF_WORKSTATION_TRUST_ACCOUNT.

If you are wondering how the userAccountControl attribute can be assigned multiple values, it is because the userAccountControl attribute contains multiple switches (flags).

For a more technical explanation of both the userAccountControl attribute and setting flags within that control, see "Active Directory Users" in this book.

Scripting Steps

Listing 9.2 contains a script that creates a computer account in Active Directory. To carry out this task, the script must perform the following steps:

  1. Create a variable named strComputer, and set the value to the name of the computer account to be created.
  2. Create a constant named ADS_UF_PASSWD_NOTREQD and set the value to &h0020.
  3. Create a constant named ADS_UF_WORKSTATION_TRUST_ACCOUNT and set the value to &h1000.

    These two constants are used to configure flags in the userAccountControl property and enable the new computer account. You can create a computer account merely by specifying a value for the sAMAccountName attribute. In that case, however, the account will be created but will not be enabled, and thus cannot be used immediately.

  4. Bind to the Computers container in Active Directory. The new account will be created in this container. To create the account in an organizational unit (OU), bind to the appropriate OU instead.
  5. Use the Create method to create the new account in the local cache. The Create method requires the following two parameters:
    • Computer indicating the type of account to be created.
    • cn= & strComputer indicating that the cn for the computer should be configured to the value of the variable strComputer.
  6. Use the Put method to set the value of the sAMAccountName attribute to the name of the computer and append a dollar sign ($) (in this case, atl-pro-001$).
  7. Use the Put method to enable the ADS_UF_PASSWD_NOTREQD and ADS_UF_WORKSTATION_TRUST_ACCOUNT flags in the userAccountControl property. This will enable the new computer account.
  8. Use the SetInfo method to apply the changes in the local cache to Active Directory. In turn, this will create the new account.

Listing 9.2   Creating a Computer Account in Active Directory

1 2 3 4 5 6 7 8 9 10 11 
strComputer = "atl-pro-001" Const ADS_UF_PASSWD_NOTREQD = &h0020 Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000 Set objRootDSE = GetObject("LDAP://rootDSE") Set objContainer = GetObject("LDAP://cn=Computers," & _     objRootDSE.Get("defaultNamingContext")) Set objComputer = objContainer.Create("Computer", "cn=" & strComputer) objComputer.Put "sAMAccountName", strComputer & "$" objComputer.Put "userAccountControl", _     ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT objComputer.SetInfo

Using the New Computer Account

After the account has been created, the computer in question must still be joined to the domain. This can be done only by someone who has the right to join a computer to the domain and who has access rights to the newly created computer account. By default, only administrators have access to the computer account; consequently, only an administrator can join the computer to the domain.

send us your feedback Send us your feedback « Previous | Next »   

Previous page
Table of content
Next page
Microsoft Windows 2000 Scripting Guide(c) Automating System Administration 2003
Microsoft Windows 2000 Scripting Guide(c) Automating System Administration 2003
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 635
BUY ON AMAZON
Certified Ethical Hacker Exam Prep
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Java How to Program (6th Edition) (How to Program (Deitel))
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy