Creating Computer Accounts in Active Directory Domains

 < Day Day Up > 



You can create a computer account for a workstation or server that you want to add to the domain using DSADD computer. When you do this, you create the computer account in advance so that it is available when the computer joins the domain. To create computer accounts, you must have the appropriate permissions. Most users can create a computer account in their logon domain. Group Policy and other permissions can change this.

Creating a Computer Account

When creating a computer account, the only required information is the account’s DN. As you may recall from the previous chapter, a DN specifies the full name of an object in Active Directory and includes the path to the object’s location. Because of this, when you provide a DN for a computer account, you specify the computer account name and the container in which the account should be created. Consider the following example:

dsadd computer "CN=CORPSERVER05,OU=Domain Controllers,DC=cpandl,
DC=com"

Tip

The DN specifies where, within the domain hierarchy, the computer account is created. You can create computer accounts in any domain in the forest for which you have appropriate access permissions. In some cases, you might need to log on directly to a domain controller in the domain you want to work with. Use –S Server to connect to a specific domain controller in any domain in the forest. Use –D Domain to connect to any available domain controller in the specified domain.

Here you create the CORPSERVER05 computer account in the Domain Controllers container within Active Directory. If the account creation is successful, DSADD computer reports:

dsadd succeeded:CN=CORPSERVER05,OU=Domain Controllers,DC=cpandl,
DC=com

Use –U UserName and –P Password to set the Run As permissions.

Account creation isn’t always successful, however. The most common reason is because you specified an incorrect DN. For example, if you were to use the command

dsadd computer "CN=CORPSERVER05,CN=Domain Controllers,DC=cpandl,
DC=com"

DSADD computer would report

dsadd failed:CN=CORPSERVER05,CN=Domain Controllers,DC=cpandl,
DC=com:Directory object not found.

The reason for this error is because Domain Controllers is created as an organizational unit (OU), not as a generic container. That is, we improperly used CN=Domain Controllers instead of correctly using OU=Domain Controllers.

Another common reason for failure is the instance when an account already exists with the name you attempt to use. In this case, select a different computer account name.

Customizing Computer Account Attributes and Group Memberships

When you provide only a DN, several parameters are set for you automatically. Group membership is set so that the computer is a member of Domain Computers. The SAM account name is derived from the common name attribute used in the computer’s DN. Basically, the DSADD computer command adds a dollar sign as a suffix to this name. In the previous example, the common name is CORPSERVER05, so the SAM account name is CORPSERVER05$.

If you want to customize the computer account attributes when you create a computer account, you can do this using these additional parameters:

  • Samid Use –Samid to set the SAM account name, which must end in a dollar sign, such as –samid CORPSERVER05$.

  • Desc Use –Desc to set the description of the computer you want to add, such as –desc “CNMember Server”.

  • Loc Use –Loc to provide a text description of the physical location of the computer you want to add. Typically, this is the office and building in which the computer is located. For example if the computer is located in office 110 of building E you could type –loc “E/110”.

You set group memberships for a new computer account by using the –Memberof parameter. This parameter accepts a space-separated list of DNs representing the groups in which you want the computer as a member. For example, if you wanted a new computer account to be a member of the Engineering group and the DN for this group was CN=Engineering,OU=Eng,DC=cpandl,DC=com, you could use a command line similar to the following:

dsadd computer "CN=CORPSERVER05,OU=Domain 
Controllers,DC=cpandl,DC=com" -memberof
"CN=Engineering,OU=Eng,DC=cpandl,DC=com"

If you wanted a new computer account to be a member of the Engineering and Tech groups and the DNs for these groups were CN=Engineering,OU=Eng, DC=cpandl,DC=com and CN=Tech,CN=Users,DC=cpandl,DC=com respectively, you could use a command line similar to the following:

dsadd computer "CN=CORPSERVER05,OU=Domain 
Controllers,DC=cpandl,DC=com" -memberof
"CN=Engineering,OU=Eng,DC=cpandl,DC=com"
"CN=Tech,CN=Users,DC=cpandl,DC=com"

Note

You don’t have to specify Domain Computers as a group membership. New computer accounts are automatically members of Domain Computers as well as any other groups you specify.



 < Day Day Up > 



Microsoft Windows Command-Line Administrator's Pocket Consultant
MicrosoftВ® WindowsВ® Command-Line Administrators Pocket Consultant
ISBN: 0735620385
EAN: 2147483647
Year: 2004
Pages: 114

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net