locked
join domain overwrites existing computer name... RRS feed

  • Question

  • I have an issue that occurs infrequently where one of my admins will join a new computer to the domain using the same name as an existing computer.  When this occurs the original computer object in AD ends up getting overwritten and the previous physical computer no longer has any ties to AD.  The computer object actually retains information such as the description however i believe the ojectSid gets changed.  There seems to be no prompt during the join process that an existing object with the same computer name resides in AD.  These are XP SP3 workstations that have been deployed from a ghost image that has been sysprepped with the correct version of sysprep.  These machines are being joined to a windows 2003 domain as well using a domain admin account.  This has occured a few times in the past and was wondering is there any way to avoid this from happening?

    Tuesday, January 26, 2010 4:25 PM

Answers

  • Rather than using Domain Admin privileges, separate creation of the computer accounts and the process of joining computers to the domain using precreated computer accounts. Delegate each to separate groups. Use http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx as a guide...

    hth
    Marcin
    • Marked as answer by Griff73 Monday, February 22, 2010 1:12 PM
    • Unmarked as answer by Griff73 Monday, February 22, 2010 1:42 PM
    • Marked as answer by Griff73 Monday, February 22, 2010 1:43 PM
    Tuesday, January 26, 2010 5:21 PM
  • Hello Griff73,

    what you see is expected behaviour. Domain administrators have the "Reset Passwords permission" for the computer object, which is needed to overwrite existing computer accounts. Also "Read permission" on the OU in AD UC is needed, wich also applies for domain administrators.

    With separation of the steps as described from Marcin you are on the safe side with this, as long as the accounts don't have the mentioned permissions.

    There will not be a prompting as domain administrators are not restricted in there own domain and wan't be asked for each step. Normally they know what they are doing, that's the reason they are domain administrators.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Griff73 Monday, February 22, 2010 1:11 PM
    Sunday, February 21, 2010 10:38 AM

All replies

  • Rather than using Domain Admin privileges, separate creation of the computer accounts and the process of joining computers to the domain using precreated computer accounts. Delegate each to separate groups. Use http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx as a guide...

    hth
    Marcin
    • Marked as answer by Griff73 Monday, February 22, 2010 1:12 PM
    • Unmarked as answer by Griff73 Monday, February 22, 2010 1:42 PM
    • Marked as answer by Griff73 Monday, February 22, 2010 1:43 PM
    Tuesday, January 26, 2010 5:21 PM
  • Thanks for the reply Marcin.  I find it kindoff weird that you are not prompted during the domain join that a duplicate name exists, is this by design?  Have you ever experienced the issue i had described?
    Tuesday, January 26, 2010 9:56 PM
  • Hello Griff73,

    what you see is expected behaviour. Domain administrators have the "Reset Passwords permission" for the computer object, which is needed to overwrite existing computer accounts. Also "Read permission" on the OU in AD UC is needed, wich also applies for domain administrators.

    With separation of the steps as described from Marcin you are on the safe side with this, as long as the accounts don't have the mentioned permissions.

    There will not be a prompting as domain administrators are not restricted in there own domain and wan't be asked for each step. Normally they know what they are doing, that's the reason they are domain administrators.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Griff73 Monday, February 22, 2010 1:11 PM
    Sunday, February 21, 2010 10:38 AM
  • Meinolf,

    Thanks for the clarification on why this happens and more specifically it's the ‘reset password' permission that the domain admin holds that allows this to happen.  A domain admin cannot add a duplicate computer account when doing so though the AD Users & Computers MMC, AD throws a deny ‘computer name is already in use” dialog box.  So within the ‘AD Users & Computers MMC’ the task of  ‘Add New Computer’ and ‘Reset Account’ are two distinct tasks however when joining a computer to a domain it's basically add new account but if account exists than reset existing account.  I still think that there should be a prompt when adding a computer to the domain that has the same friendly name when you are joining the domain from client machine.  Microsoft loves prompting with warnings, can’t believe they do not do so in this situation…

    Monday, February 22, 2010 1:42 PM
  • Hi Griff73,

    When we join a computer in domain then account for this object is automatically created in AD,then what is the use of creating computer accounts manually in AD.


    Best Regards, Parveen Chauhan Email-parveenc@hcl.in Mobile: +91-9811629793
    Monday, August 9, 2010 6:04 AM
  • When you add a computer account by simply joining a domain the computer gets dumped into the computers container in AD, if you pre-create the account you can place it in the proper organizational unit at the start.  You may also want to do this if you have Group Policies setup other than the default domain policy and want a better chanced that these policies get applied.  The default computers container can get a little messy if you have multiple administrators joining machine to the domain, this container will have be cleaned up every so often which is a pain.

    Monday, August 9, 2010 1:21 PM