This video looks at computer accounts in Active Directory. Each time you add a computer to the domain, a computer account is created for that computer in the Active Directory database. This video looks at how these computer accounts work and how to reset a computer account if the password in the computer account becomes out of sync with the password stored on the local computer.
Demonstration 04:57
Computer Account
A computer account in Active Directory is very similar to a user account in Active Directory. Fundamentally, a computer account and a user account are made from the same attributes. Like a user account, the computer account has a password. Unlike a user account, this password is randomly generated. This password is supplied to the domain when the computer starts up which allows a secure connection to be created between the computer and the Domain Controller. This password is automatically changed after 30 days. If the computer has not connected to the domain for more than 30 days, the computer will still be able to access the domain. The password for the computer account will be changed the next time the computer connects to the domain.
Resting the computer account
Sometimes the password used on the local computer and that stored in the domain for the computer account become out of sync. When this occurs, you will receive a message, “The trust relationship between this workstation and the primary domain failed.” When this occurs, the computer will need to be re-added to the domain.
Pre-Stage Computer Accounts
A computer account is automatically created for a computer when it is added to the domain. You can also manually create the computer account in advance before the computer is added to the domain. When this is done, it is referred to as pre-stage. There are a number of reasons why you may want to pre-stage the computer account:
1) Deployment solutions like Windows Deployments Solutions (WDS) can be configured to use only pre-stage accounts. This stops computers from being deployed unless computer accounts have been created for them. This essentially puts some controls on images that are deployed using systems like WDS.
2) A pre-stage computer account ensures that the computer is put into the correct organizational unit. If you do not use a pre-staged computer account, the computer account will be created in the default location of computers. The computers OU can’t have additional group policies applied to it, so it limits how the computer can be administered. Pre-staging the computer ensures that administrators can control the computer using group policy as soon as the computer is added to the domain.
3) When a pre-stage computer account is created, permissions can be assigned on the pre-stage account. These permissions allow any user that you choose to be able to add the computer to the domain with that computer name. Normally in order to add a computer to the domain you would need user that is a member of the administrators group.
Demonstration
To perform administration on computer accounts inside Active Directory, open Active Directory Users and Computers from administrative tools under the start menu.
If you select a computer account, you can access the properties of the computer account by right clicking and selecting properties. The properties tab contains information about the computer like what type of computer it is, for example, a “workstation or server” or a Domain Controller with or without it being configured as a global catalog server.
To create a pre-stage computer account, open Active Directory User and Computers. Inside Active Directory User accounts, navigate to the OU that you want to create the computer account in. In the new computer dialog you can also set a user account that will be allowed to add the computer to the domain.
To add a computer to the domain, open Windows Explorer and right click on computer and select properties. From the system properties, select the option change settings and then press the button change. This will allow you to remove or add the computer to a domain.
To reset the password on a computer account, right click the computer account and select reset account. The computer will need to be removed from the domain and re-added again. When you remove the computer from the domain and place it in a work group, you do not need to reboot the computer before adding it to the domain again. Once it is added to the domain, you will need to reboot the computer to complete the process.
References
“User and computer accounts” http://technet.microsoft.com/en-us/library/cc759279(v=ws.10).aspx
“Resetting computer accounts in Windows” http://support.microsoft.com/kb/216393
“Machine Account Password Process” http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx
“Pre-Stage Computer Account in Windows Server 2008” http://www.pctips3000.com/pre-stage-computer-account-in-windows-server-2008
Credits