Remove From My Forums

Joining PCs to domain

Question
0

Sign in to vote

Hi, just want to find out if it's possible to join PCs to domain by first creating the computer account in AD rather than allowing it to be joined automatically.

This way, it prevents others from joining PCs to domain without first getting the account created.

Thanks
Isaac2k2

Saturday, August 14, 2010 9:09 AM

Answers

0

Sign in to vote
Yes it is possible and an often used practice. Pre-creating an account allows you to place the object in any OU desired instead of the object being automatically created in the Computers Container and having to move it after joining the domain. When the computer is initially restarted when joining the domain it will have the group policies immediately instead of having to restart or gpupdate after the computer object is moved to the desired OU. It also allows you to lock down the computers container if you allways pre-create accounts.
I hope this information answered your question or was helpful.
- Proposed as answer by Roy Mayo Saturday, August 14, 2010 9:45 AM
- Marked as answer by Brent Hu Friday, August 20, 2010 3:26 AM
Saturday, August 14, 2010 9:44 AM
0

Sign in to vote
As Roy has pointed out, this is a common practice. In addition to benefits outlined above, this also gives you the functionality you are looking for - more specifically, the ability to delegate permissions to join a computer to the domain using an existing computer account - while preventing at the same time the same users from adding a computer to the domain if the corresponding computer account has not been precreated. More info at http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

hth
Marcin
- Marked as answer by Brent Hu Friday, August 20, 2010 3:26 AM
Saturday, August 14, 2010 11:12 AM
0

Sign in to vote
You can use both options. You can either pre-create (Prestage) computer account or you can directly join them to the domain. Take a look at the following articels:

"When you join a Windows computer to a domain, by default the computer account for the computer gets placed into the Computers container. Unfortunately the Computers container is not an organizational unit (OU) so you can’t link a Group Policy Object to it, and as a result computers that join a domain like this are placed into an unmanaged state, which might contravene your company’s security policy"

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/Pre-stagingcomputeraccounts.html

http://support.microsoft.com/kb/251335

Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.
- Marked as answer by Brent Hu Friday, August 20, 2010 3:26 AM
Sunday, August 15, 2010 12:47 AM

All replies

0

Sign in to vote

YES windows 2008 r2 has a new feature called Offline Domain Join

http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(WS.10).aspx

http://www.virmansec.com/blogs/skhairuddin

Saturday, August 14, 2010 9:40 AM
0

Sign in to vote
Yes it is possible and an often used practice. Pre-creating an account allows you to place the object in any OU desired instead of the object being automatically created in the Computers Container and having to move it after joining the domain. When the computer is initially restarted when joining the domain it will have the group policies immediately instead of having to restart or gpupdate after the computer object is moved to the desired OU. It also allows you to lock down the computers container if you allways pre-create accounts.
I hope this information answered your question or was helpful.
- Proposed as answer by Roy Mayo Saturday, August 14, 2010 9:45 AM
- Marked as answer by Brent Hu Friday, August 20, 2010 3:26 AM
Saturday, August 14, 2010 9:44 AM
0

Sign in to vote
As Roy has pointed out, this is a common practice. In addition to benefits outlined above, this also gives you the functionality you are looking for - more specifically, the ability to delegate permissions to join a computer to the domain using an existing computer account - while preventing at the same time the same users from adding a computer to the domain if the corresponding computer account has not been precreated. More info at http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

hth
Marcin
- Marked as answer by Brent Hu Friday, August 20, 2010 3:26 AM
Saturday, August 14, 2010 11:12 AM
0

Sign in to vote
You can use both options. You can either pre-create (Prestage) computer account or you can directly join them to the domain. Take a look at the following articels:

"When you join a Windows computer to a domain, by default the computer account for the computer gets placed into the Computers container. Unfortunately the Computers container is not an organizational unit (OU) so you can’t link a Group Policy Object to it, and as a result computers that join a domain like this are placed into an unmanaged state, which might contravene your company’s security policy"

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/Pre-stagingcomputeraccounts.html

http://support.microsoft.com/kb/251335

Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.
- Marked as answer by Brent Hu Friday, August 20, 2010 3:26 AM
Sunday, August 15, 2010 12:47 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Joining PCs to domain

Question

Answers

All replies