Pre-staging computer accounts

by Mitch Tulloch [Published on 25 April 2007 / Last Updated on 25 April 2007]

How to ensure client computers are not left in an unmanaged state after joining a domain.

When you join a Windows computer to a domain, by default the computer account for the computer gets placed into the Computers container. Unfortunately the Computers container is not an organizational unit (OU) so you can’t link a Group Policy Object to it, and as a result computers that join a domain like this are placed into an unmanaged state, which might contravene your company’s security policy.

The solution is to pre-stage your computer accounts by pre-creating these accounts within an OU that has a GPO linked to it to enforce policy. Just use Active Directory Users and Computers to create computer accounts in the OU that have the same names as the computers that you will be joining to the domain. Then, when each computer joins the domain, it will check whether a pre-staged computer account is present, and if it is then it will use that computer account instead of creating one within the Computers container.

***

Mitch Tulloch was the lead author for the Windows Vista Resource Kit from Microsoft Press, which is THE book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. For more about Mitch, visit his website www.mtit.com

See Also

Featured Links