Creating a Computer Account Management Plan
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Windows 2000 and Windows Server 2003 computers have accounts in Active Directory and are authenticated in a separate process that is transparent to the user.
You can use computer authentication to apply uniform security policies to groups of computers, such as computers contained in a domain, a site, or an organizational unit (OU) based on how the computers are grouped and which rights and policies are granted and applied to each group. For example, you can configure an OU for computers that are public kiosks on a retail floor and apply limited permissions to users. You can configure another OU for a computer stored in a locked office and allow users greater access to resources.
Evaluate the security needs for different types of computers in your organization. Determine which computers are more vulnerable to compromise and therefore require stronger security settings, and then apply policies to the domains, sites, and OUs as appropriate to your security needs. For more information about applying security policies, see "Deploying Security Policy" in Designing a Managed Environment in this kit.
Managing Computer Accounts
You also need to establish a plan for managing computer accounts, including:
The creation of new accounts
The deletion of old accounts
Resetting of computer account passwords.
Because new computer accounts are created automatically whenever a computer is added to a domain, you need to decide who has the right to add computers to domains. You can delegate this responsibility to an individual or group in your organization by adding them to the Add workstations to domain Group Policy.
You can choose to manage new computer account creation in your organization in one of the following ways:
Allow authenticated users to create new computer accounts. This approach might be desirable in organizations where users can be largely trusted. However, if you only want to trust a limited group of users, such as developers, for example, to create new computer accounts, you can control this by using the Security Configuration Manager to either assign or deny this right to users. By default, authenticated users are assigned the Add workstations to domain user right on the Group Policy object on domain controllers. This enables them to create up to 10 computer accounts in the domain by using the Network Identification Wizard. The wizard requests information about the computer name, the domain or workgroup that the computer is joining, and the domain users that are to be added to the local groups for local computer access, and uses this information and the credentials of the authenticated user to create a new account in Active Directory.
Note
- After a computer account is created, administrators must ensure that the account is a member of the appropriate groups, so that the appropriate Group Policies are applied.
IT staff joins each new computer to the domain individually during installation. Although this approach can work for small organizations in which computer account creation occurs infrequently, it is impractical for large organizations with a high volume of new computer accounts.
IT staff uses scripts to create new accounts ahead of time, and assigns new computers to existing accounts during installation. You can use an Active Directory Service Interfaces (ADSI) script to create computer accounts in advance of installing new computers. As new computers are brought online, their computer names must match the names that you have specified in the script. This approach works well for organizations in which many similar computers need to be added to a domain simultaneously, such as in a training lab or server farm. For more information about using scripts to create new computer accounts, see Windows Deployment and Resource Kits at https://www.microsoft.com/reskit, or see the MSDN Scripting Clinic link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.
Note
- It is more secure to create new computer accounts from the computer itself, rather than creating the accounts remotely or by using scripts. An attacker who gains access to some part of a domain can use existing scripts or remote account creation processes to create accounts to further compromise the system. Requiring that new accounts be created from the new computer protects against such attacks.
You can choose to delete computer accounts in your organization in one of the following ways:
Include deleting users’ computer accounts as part of the employee departure procedure. When employees leave your organization, establish a policy by which their computer accounts are deleted from Active Directory.
Create scripts that search for computer accounts that havenot been logged on to for a period of time or have not had their password changed, and delete those computer accounts. For example, you might create a script that identifies accounts that have not been logged on to for six weeks or that have not had their passwords changed for twice the password lifetime as prescribed by domain Group Policy, and delete those accounts.
If a computer is unable to contact a domain controller to initiate a password change, the account might become unsynchronized with the domain and require a password reset. An effective way to enable the resetting of computer accounts in your organization is to assign help desk staff the right to reset passwords. Delegate the right to reset computer passwords to help desk staff so that members of the Domain Administrators group are not required to reset computer account passwords.
Important
- If you are migrating from Windows NT 4.0 domains, you must create a plan for the creation of new computer accounts. Computers running Windows NT 4.0 do not have computer accounts.