Creating Computer Accounts

  • Article

Microsoft® Windows® 2000 Scripting Guide

For a computer in your organization to have full access to Active Directory resources, it must have a corresponding computer account in Active Directory. Computers that do not have accounts in Active Directory and do not belong to a domain have limited access to resources and cannot be managed by using Group Policy or software installation and maintenance.

Table 9.3 lists the Microsoft Windows operating systems and indicates whether a computer running a given operating system requires a computer account in Active Directory.

Table 9.3 Operating Systems and Computer Account Requirements

Operating System

Computer Account Required

Windows XP Home Edition

 

Windows XP Professional

  

Table Bullet

Windows XP 64-Bit Edition

  

Table Bullet

Windows 2000 Professional

  

Table Bullet

Windows 2000 Server

  

Table Bullet

Windows 2000 Advanced Server

  

Table Bullet

Windows 2000 Datacenter Server

  

Table Bullet

Windows NT Server 4.0

  

Table Bullet

Windows NT Server 4.0, Terminal Server Edition

  

Table Bullet

Windows NT Server 4.0, Enterprise Edition

  

Table Bullet

Windows NT Workstation 4.0

  

Table Bullet

Windows NT Server 3.51

  

Table Bullet

Windows NT Workstation 3.51

  

Table Bullet

Windows Millennium Edition

 

Windows 98

 

Windows 95

 

Windows 3.1

 

Computer accounts can be created programmatically by using ADSI (and, more specifically, by using the IADs interface). To create a large number of computer accounts in a single operation, you can write a script that reads relevant information (computer name, computer location, and so forth) from a text file or a database, and then creates an account for each new computer. Using this kind of script is much quicker than manually creating each computer account by using Active Directory Users and Computers.

note Note

When you create a computer account, you need to specify only the common name and the Security Accounts Manager (SAM) account name; the other mandatory attributes are automatically created for you.

However, if you specify only those two items, the account will initially be disabled. For a computer account to be enabled, you must also set the appropriate flags in the userAccountControl attribute. The userAccountControl attribute determines a number of different account attributes, including whether an account is enabled or disabled and whether an account requires a password. By setting two flags (ADS_UF_PASSWD_NOTREQD and ADS_UF_WORKSTATION_TRUST_ACCOUNT), the account will be enabled upon creation.

Setting Flags in the userAccountControl Attribute

For the purposes of this chapter, consider the userAccountControl attribute to be a control panel with a series of switches. These switches can be set to on or off. If a switch is set to on, the attribute controlled by that switch (the flag within the userAccountControl attribute) is also on. For example, if the ADS_UF_WORKSTATION_TRUST_ACCOUNT switch is on, that means that the account is a trusted workstation account. If the switch is off, the account is not a trusted workstation account. For a computer account to be enabled, both the ADS_UF_PASSWD_NOTREQD and ADS_UF_WORKSTATION_TRUST_ACCOUNT switches must be on.

Each flag within the userAccountControl attribute is assigned a value; for example, ADS_UF_PASSWD_NOTREQD is assigned the value &h0020 and ADS_UF_WORKSTATION_TRUST_ACCOUNT is assigned the value &h1000. These values correspond to the switches in the hypothetical control panel. When the userAccountControl attribute is assigned the value &h0020, it effectively flips the switch for ADS_UF_PASSWD_NOTREQD. Likewise, assigning the value &h1000 flips the switch for ADS_UF_WORKSTATION_TRUST_ACCOUNT.

If you are wondering how the userAccountControl attribute can be assigned multiple values, it is because the userAccountControl attribute contains multiple switches (flags).

For a more technical explanation of both the userAccountControl attribute and setting flags within that control, see "Active Directory Users" in this book.

Scripting Steps

Listing 9.2 contains a script that creates a computer account in Active Directory. To carry out this task, the script must perform the following steps:

  1. Create a variable named strComputer, and set the value to the name of the computer account to be created.

  2. Create a constant named ADS_UF_PASSWD_NOTREQD and set the value to &h0020.

  3. Create a constant named ADS_UF_WORKSTATION_TRUST_ACCOUNT and set the value to &h1000.

    These two constants are used to configure flags in the userAccountControl property and enable the new computer account. You can create a computer account merely by specifying a value for the sAMAccountName attribute. In that case, however, the account will be created but will not be enabled, and thus cannot be used immediately.

  4. Bind to the Computers container in Active Directory. The new account will be created in this container. To create the account in an organizational unit (OU), bind to the appropriate OU instead.

  5. Use the Create method to create the new account in the local cache. The Create method requires the following two parameters:

    • 'Computer' - indicating the type of account to be created.

    • 'cn=' & strComputer - indicating that the cn for the computer should be configured to the value of the variable strComputer.

  6. Use the Put method to set the value of the sAMAccountName attribute to the name of the computer and append a dollar sign ($) (in this case, atl-pro-001$).

  7. Use the Put method to enable the ADS_UF_PASSWD_NOTREQD and ADS_UF_WORKSTATION_TRUST_ACCOUNT flags in the userAccountControl property. This will enable the new computer account.

  8. Use the SetInfo method to apply the changes in the local cache to Active Directory. In turn, this will create the new account.

Listing 9.2 Creating a Computer Account in Active Directory

   
1
2
3
4
5
6
7
8
9
10
11

strComputer = "atl-pro-001"
Const ADS_UF_PASSWD_NOTREQD = &h0020
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://cn=Computers," & _
 objRootDSE.Get("defaultNamingContext"))
Set objComputer = objContainer.Create("Computer", "cn=" & strComputer)
objComputer.Put "sAMAccountName", strComputer & "$"
objComputer.Put "userAccountControl", _
 ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT
objComputer.SetInfo

Using the New Computer Account

After the account has been created, the computer in question must still be joined to the domain. This can be done only by someone who has the right to join a computer to the domain and who has access rights to the newly created computer account. By default, only administrators have access to the computer account; consequently, only an administrator can join the computer to the domain.