Understanding Computer Accounts

Updated: December 30, 2008

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Every computer running Windows NT, Windows 2000, Windows XP, Windows Vista, or Windows 7 or server running Windows Server 2003, Windows Server 2008, Windows Server® 2012 or Windows Server 2008 R2 that joins a domain has a computer account. Like user accounts, computer accounts provide a means for authenticating and auditing access to the network and to domain resources. Each computer account must be unique.

Computers running Windows 95 and Windows 98 do not have advanced security features. Therefore, they are not assigned computer accounts.

You can add, disable, reset, and delete user and computer accounts with the Active Directory Users and Computers snap-in. You can also create a computer account when you join a computer to a domain.

When the domain functional level is set to Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012a lastLogonTimestamp attribute is used to track the last logon time of a user or computer account. This attribute is replicated within the domain, and it can provide you with important information regarding the history of a user or computer.

Understanding computer names

Each computer account that is created in Active Directory Domain Services (AD DS) has a relative distinguished name, a pre–Windows 2000 computer name (Security Accounts Manager (SAM) account name), a primary Domain Name System (DNS) suffix, a DNS host name, and a service principal name (SPN). The administrator enters the computer name when he or she creates the computer account. This computer name is used as the Lightweight Directory Access Protocol (LDAP) relative distinguished name.

AD DS suggests the pre–Windows 2000 name using the first 15 bytes of the relative distinguished name. The administrator can change the pre–Windows 2000 name at any time.

The DNS name for a host is called a full computer name. This is a DNS fully qualified domain name (FQDN). The full computer name is a concatenation of the computer name (the first 15 bytes of the SAM account name of the computer account without the "$" character) and the primary DNS suffix (the DNS domain name of the domain in which the computer account exists).

By default, the primary DNS suffix portion of the FQDN for a computer must be the same as the name of the Active Directory domain where the computer is located. To allow different primary DNS suffixes, a domain administrator may build a restricted list of allowed suffixes by creating the msDS-AllowedDNSSuffixes attribute in the domain object container. The domain administrator creates and manages this attribute with Active Directory Service Interfaces (ADSI) or LDAP.

The SPN is a multivalue attribute. It is usually built from the DNS name of the host. The SPN is used in the process of mutual authentication between the client and the server hosting a particular service. The client finds a computer account based on the SPN of the service to which it is trying to connect. Members of the Domain Admins group can modify the SPN.

Additional references

Community Additions