Share via


Create a new computer account

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

To create a new computer account

  • Using the Windows interface

  • Using a command line

Using the Windows interface

  1. Open Active Directory Users and Computers.

  2. In the console tree, right-click Computers.

    Where?

    • Active Directory Users and Computers/domain node/Computers

    Or, right-click the folder in which you want to add the computer.

  3. Point to New, and then click Computer.

  4. Type the computer name.

Notes

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  • By default, members of the Account Operators group can create computer accounts in the Computers container and in new organizational units.

  • By default, Authenticated Users in a domain are assigned the Add workstations to a domain user right and can create up to 10 computer accounts in the domain. For more information, see Related Topics.

  • There are two additional ways to give a user or group permission to add a computer to the domain: Use a Group Policy object to assign the Add Computer User permission, or, on the organizational unit, assign the user or group the Create Computer Objects permission.

  • To view or change a computer name and to modify the domain in which it belongs, click Start, right-click My Computer, click properties, click the Computer Name tab, and then click Change.

  • If the computer using the account you are creating is a pre-Windows 2000 computer, select the Assign this computer account as a pre-Windows 2000 computer check box.

  • If the computer using the account you are creating is a Windows NT backup domain controller, select Assign this computer account as a backup domain controller check box.

  • By default, a newly created computer account is assigned an "Account Ops-FC" access control entry (ACE) that gives members of the Account Operators group full control over that computer account. If a server that is represented by this computer account is promoted to a domain controller, the computer account retains this "Account Ops-FC" ACE, and therefore, members of the Account Operators group will have full control on this domain controller, which is not a recommended configuration. For example, members of Account Operators group will be able to reset this domain controller’s password. Because the Account Operators group has significant power in the domain, we recommend that you add members to it with caution. For a detailed description of the Account Operators group, see Default groups (https://go.microsoft.com/fwlink/?LinkID=131422). To modify permissions for Account Operators on a computer account, you can use Active Directory Users and Computers snap-in and complete the following steps:

    1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

    2. In the console tree, right-click the computer account that represents the server that you want to promote to a domain controller status, and then click Properties.

    3. On the Security tab, select Account Operators in the Group or user names list, and then modify permissions according to the specifications of your environment.

Using a command line

  1. Open Command Prompt.

  2. Type:

    dsadd computer ComputerDN

Value Description

ComputerDN

Specifies the distinguished name of the computer you want to add. The distinguished name specifies the directory location.

Notes

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • By default, members of the Account Operators group can create computer accounts in the Computers container and in new organizational units.

  • By default, Authenticated Users in a domain are assigned the Add workstations to a domain user right and can create up to 10 computer accounts in the domain. For more information, see Related Topics.

  • There are two additional ways to give a user or group permission to add a computer to the domain: Use a Group Policy object to assign the Add Computer User permission, or, on the organizational unit, assign the user or group the Create Computer Objects permission.

  • To view the complete syntax for this command, at a command prompt, type:

    dsadd computer /?

  • To modify the properties of a computer account, use the dsmod computer command.

  • By default, a newly created computer account is assigned an "Account Ops-FC" access control entry (ACE) that gives members of the Account Operators group full control over that computer account. If a server that is represented by this computer account is promoted to a domain controller, the computer account retains this "Account Ops-FC" ACE, and therefore, members of the Account Operators group will have full control on this domain controller, which is not a recommended configuration. For example, members of Account Operators group will be able to reset this domain controller’s password. Because the Account Operators group has significant power in the domain, we recommend that you add members to it with caution. For a detailed description of the Account Operators group, see Default groups (https://go.microsoft.com/fwlink/?LinkID=131422). To modify permissions for Account Operators on a computer account, you can use Active Directory Users and Computers snap-in and complete the following steps:

    1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

    2. In the console tree, right-click the computer account that represents the server that you want to promote to a domain controller status, and then click Properties.

    3. On the Security tab, select Account Operators in the Group or user names list, and then modify permissions according to the specifications of your environment.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Dsadd
Find a computer account
Active Directory integration
Object names
Domain controllers
Add workstations to domain
Privileges