none
Join domain with blank username

    Question

  • Hi, I have a 2008 Server as Domain Server and computers with XP.

    Today I joined a new computer to the domain and when I´ve been asked for the administrator username and password, I just Accept with blank in both textboxes. It´s been very surprising when I recived the "Welllcome to the domain" message.

    Any suggestion?

    Thursday, March 01, 2012 3:40 PM

Answers

  • Hi,

    Thanks for your posting.

    I reproduced this scenario in my test, and got the reason.

    When you send blank information to join PC to domain in XP, it’ll use current logon account and credential for authentication.

    If the current account is also exist in your domain, then validate the credential.
    Validate successfully, check whether this account has permission to join workstations to domain, if yes, join workstation to domain.
    Validate failure, return error: The following error occurred attempting to join the domain: Logon failure: unknown user name or bad password.

    If the account not exists in domain, sent Guest user credential for authentication.

    You now can join a computer to domain and then check eventlog at your domain controller: check Event ID 4776,4672,4742,4722 to find which account you used to join domain.

    Note: this test reproduced in XP system, not reproduced in Windows 7 system, vista not test.

    For more information please refer to following MS articles:

    Required Permissions
    http://technet.microsoft.com/en-us/library/cc754005(v=ws.10).aspx
    Join Domain or Workgroup
    http://technet.microsoft.com/en-us/library/bb680826.aspx


    Lawrence

    TechNet Community Support

    Friday, March 02, 2012 6:31 AM
    Moderator
  • Thanks for all replies

    I think Lawrence is right, I had Guest account disabled but the Domain Administrator account had the same password as the local SAM Administrator password in  new computer, so thats the answer. Funny coincidence.

    Thanks again

    Friday, March 02, 2012 5:54 PM

All replies

  • You are required to type a username and password that has permissions on the domain to add a computer.

    http://blogs.technet.com/b/jhoward/archive/2005/04/18/403817.aspx

    Authenticated users should be able to add 10 computers to the domain.

    Thursday, March 01, 2012 3:47 PM
  • Thanks for reply, but I dont understand why "blank" is a valid Autenthicate username

    It was very strange because with blank username and anything in password is allowed to join the computer to domain.

    Thursday, March 01, 2012 4:13 PM
  • Right that is what I'm saying you must have a username and password to authenticate so, you can add a workstation. Have you tried doing this process again with the blank username and password? Are you sure it was blank?
    Thursday, March 01, 2012 4:16 PM
  • Yes It works for three times with username in blank and diferent passwords. Everytime computers joined the domain.
    Thursday, March 01, 2012 4:23 PM
  • Do you have the Guest Account enabled?
    Thursday, March 01, 2012 4:34 PM
  • I´ll check it
    Thursday, March 01, 2012 4:47 PM
  • I checked it myself. I tried to join a computer without usename and password.

    Than I tried to join a computer with blank username and vaild domain administrator passwrod.

    It did not work. I did not able to join the domain.


    Kamal Sharma

    Friday, March 02, 2012 4:16 AM
  • Yes, I was not having the Guest Enabled Account on my domain / loal computer.

    I tried to join a computer without usename and password.

    Than I tried to join a computer with blank username and vaild domain administrator passwrod.

    It did not work. I did not able to join the domain.

    Even now I enalbed Guest Account as having Pa$$w0rd Password on both sides (DC and Local Computer)

    Its the same situation. I am unable to join the domain with username and password.


    Kamal Sharma

    Friday, March 02, 2012 4:20 AM
  • Hi,

    Thanks for your posting.

    I reproduced this scenario in my test, and got the reason.

    When you send blank information to join PC to domain in XP, it’ll use current logon account and credential for authentication.

    If the current account is also exist in your domain, then validate the credential.
    Validate successfully, check whether this account has permission to join workstations to domain, if yes, join workstation to domain.
    Validate failure, return error: The following error occurred attempting to join the domain: Logon failure: unknown user name or bad password.

    If the account not exists in domain, sent Guest user credential for authentication.

    You now can join a computer to domain and then check eventlog at your domain controller: check Event ID 4776,4672,4742,4722 to find which account you used to join domain.

    Note: this test reproduced in XP system, not reproduced in Windows 7 system, vista not test.

    For more information please refer to following MS articles:

    Required Permissions
    http://technet.microsoft.com/en-us/library/cc754005(v=ws.10).aspx
    Join Domain or Workgroup
    http://technet.microsoft.com/en-us/library/bb680826.aspx


    Lawrence

    TechNet Community Support

    Friday, March 02, 2012 6:31 AM
    Moderator
  • Even I tested it, but it doest work. How can u logon as Domain USer until unless u join to domain. Is I need to logon as Guest on the local computer?

    Kamal Sharma

    Friday, March 02, 2012 8:05 AM
  • Hi Kamal,

    Lawrence isn't suggesting you're deliberately using a domain account, but rather that the workgroup account running the setup process at that stage has the same username and password as an account already in the domain, and that is how the match is being created. This account will only be used if you leave the username and password fields blank - it's like a fallback condition.

    Are the machines you've been joining clones (including virtual machine templates), or are they being built from DVD? I'm guessing it may well be the former.

    Cheers,
    Lain

    Friday, March 02, 2012 8:23 AM
  • Ok... I got it now....

    Ya its true and it works like that for 3 times.


    Kamal Sharma

    Friday, March 02, 2012 8:34 AM
  • If you want to prevent this kind of behaviour, you can set the ms-DS-MachineAccountQuota attribute in Active Directory to zero. There's a number of tools you can use to do this. Here's how to do it with two:

    Powershell:

    Run the following as a domain admin:

    Set-ADDomain yourDomain.com -Replace @{"ms-ds-MachineAccountQuota"="0"}

    AdsiEdit.msc:

    • Run adsiedit.msc as a domain administrator
    • Connect to the Default Naming Context
    • Expand the "Default naming context" node so that you can see your domain node
    • Right-click on the domain node and choose Properties
    • Look for and change the ms-DS-MachineAccountQuota attribute to have a value of zero ("0")

    Cheers,
    Lain

    Friday, March 02, 2012 9:11 AM
  • Thanks for all replies

    I think Lawrence is right, I had Guest account disabled but the Domain Administrator account had the same password as the local SAM Administrator password in  new computer, so thats the answer. Funny coincidence.

    Thanks again

    Friday, March 02, 2012 5:54 PM
  • That's good to hear.

    It's also worth noting that if it's been matching an authorised account allowed to join machines to the domain (such as the Administrator account) then the above steps I listed will not help. They will only help if it had been matching a regular user (or guest) account.

    Cheers,
    Lain

    Friday, March 02, 2012 11:58 PM