Windows Certification:: Creating and Managing Computer Accounts Resource Center

	Active Directory
	Backup
	Certificate Service
	Compatibilities
	Desktop Environment
	DFS
	DHCP
	DNS
	Domains
	Exchange Outlook
	File Systems
	Group Policy
	IIS
	Installations
	Internet Explorer
	ISA
	Mobile Wireless
	Multimedia
	Netware
	Network
	Priting
	RAID
	RAS
	Recovery
	Security
	Service Packs
	System Configurations


	TCP / IP
	Terminal Services
	Utilities
	Windows Server 2000
	Windows XP

	Creating and Managing Computer Accounts

Where to Start...

Guide to Computer Naming Schemes and Conventions
Our primer on choosing computer names for your workstations and servers. Includes a best practices checklist and examples of common practices in a variety of environments.

HOW TO: Manage Computer Accounts in Active Directory in Windows 2000
Microsoft Knowledge Base Article: 320187 - A computer account is an account that is created by a domain administrator. The computer account uniquely identifies the computer on the domain. The Windows computer account matches the name of the computer joining the domain. This article explains how to manage computer accounts in Active Directory

Automating the Creation of Computer Accounts in Windows 2000
Microsoft Knowledge Base Article: 222525 - Describes how to automate the creation of computer accounts. Two methods are described:

How to....

Computer Account Organizational Unit Can Be Specified by Using the Unattend.txt Utility
Microsoft Knowledge Base Article: 226315 - When you automate the installation of Windows 2000 by using the unattended installation method, you can specify the organizational unit where the computer account is placed. You can do this by adding the following section to your unattended answer (Unattend.txt) file

Enabling Authenticated Users to Join Computers to a Domain with No Administrative Intervention
Microsoft Knowledge Base Article: 224676 - By default, only members of the Authenticated Users global group have the requisite authority to join computers to a domain.

How to Change Computer and Domain Names in Windows 2000
Microsoft Knowledge Base Article: 232007 - This article describes how to change the computer name and domain membership in Windows 2000.

How to Create a Computer Object in the Active Directory for a Windows NT 4.0 BDC
Microsoft Knowledge Base Article: 221826 - In the Active Directory, computer accounts created in Server Manager are displayed as user objects. Microsoft Windows NT 4.0 (and earlier versions) BDC computer accounts are displayed as user objects if they were created with Server Manager

How to Recover a Deleted Domain Controller Computer Account
Microsoft Knowledge Base Article: 248132 - This article describes how to recover a domain controller computer account that has been inadvertently deleted.

How to Use Netdom 2.0 to Create a Windows Computer Account on a Selected Domain Controller
Microsoft Knowledge Base Article: 266651 - This article describes how to use the Netdom utility (Netdom.exe) included in Windows 2000 Support Tools and in the Windows 2000 resource kits to create a computer account for Microsoft Windows NT 4.0 or Windows 2000 member workstations or servers on a specific Windows 2000 domain controller.

How to Use Netdom.exe to Reset Machine Account Passwords
Microsoft Knowledge Base Article: 260575 - Each Windows 2000-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows 2000 then relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate, and you may receive error messages (for example, "Access Denied" error messages when Active Directory replication occurs). This behavior is also applicable to replication between domain controllers of the same domain. If the domain controllers that are not replicating reside in two different domains, you should inspect the trust relationship more closely. You cannot change the machine account password using the Active Directory Users and Computers snap-in, but you can reset the password using the Netdom.exe tool included in the Windows 2000 Support Tools

Resetting Computer Accounts in Windows 2000
Microsoft Knowledge Base Article: 216393 - For each Windows 2000 workstation or server that is a member of a domain, there is a discrete communication channel, known as the secure channel, with a domain controller.

Troubleshooting and Known Issues

Effects of Machine Account Replication on a Domain
Microsoft Knowledge Base Article: 175468 - For each Windows NT Workstation that is a member of a domain, there is a discrete communication channel (for example, the secure channel) with a domain controller. The secure channel's password is stored along with the computer account on the primary domain controller (PDC), and is replicated to all backup domain controllers (BDCs). The password is also in LSA secret $MACHINE.ACC of the workstation. Each workstation owns such secret data. Every seven days, the workstation sends a secure channel password change and the computer account password is updated. If the primary domain controller (PDC) is running Windows NT 4.0 Service Pack 3 or earlier, the computer account password changes are marked as "Announce Immediate" and each time a computer account password is modified, a replication takes place immediately. If the PDC is running Windows NT 4.0 Service Pack 4 or later, the computer account is replicated during the next replication pulse. A new Netlogon parameter is available as a hotfix so that the 7-day period may be extended up to 1,000,000 days. For Windows 2000, the default computer account password change is 30 days.

Automatic Computer Name Generator Does Not "Zero Fill" Numbers
Microsoft Knowledge Base Article: 223194 - The Remote Installation Service (RIS) has a feature that allows the service to automatically generate computer names for computers using RIS to install Windows 2000 Professional. Administrators can customize these automatically generated name

Batch File Adds/Removes Machine Accounts in Server Manager
Microsoft Knowledge Base Article: 140387 - An Windows NT network administrator may have to add a large number of Windows NT Workstations or Non-Domain Controller Servers to a domain's Machine Account database, which is accessed and maintained by the Server Manager user interface.

Cannot Add Computer to Windows NT 4.0-Based Domain; Error Message Cites Lack of Computer Account
Microsoft Knowledge Base Article: 285016 - When you attempt to add a Microsoft Windows 2000 Professional-based computer to a Microsoft Windows NT 4.0-based domain, you may find that you cannot do so and you may receive the following error message: Your computer could not be joined to the domain because the following error has occurred: The security database on the server does not have a computer account for this workstation trust relationship.

Cannot Change Computer Name of a Domain Controller
Microsoft Knowledge Base Article: 195242 - The computer name of a Windows 2000 domain controller cannot be changed for this release of Windows 2000.

Changing Computer Name in Windows 2000 Requires Restart
Microsoft Knowledge Base Article: 228544 - When you change your computer name or domain membership on a Microsoft Windows 2000 computer, each step must be performed separately with a shut down and restart you computer for the change to take effect.

Computer Name and Host Name Must Be the Same in Windows 2000
Microsoft Knowledge Base Article: 227410 - In Windows 2000, you cannot specify different host (Directory Naming Service, or DNS) and computer (NetBIOS) names.

Computer Name Setup Allows Invalid Characters in Computer Name
Microsoft Knowledge Base Article: 228275 - In the GUI-mode portion of Setup, when you are prompted for the computer name, you are allowed to enter nonstandard characters (for example, "qw#$%^_fg"). If you do so, you receive a warning about using a non-DNS name, but you are allowed to

Duplicate Computer Names Are Created When Sysprep.exe Generates Random Computer Names Microsoft Knowledge Base Article: 317606 - When you deploy an image on your network computers, the computer names that are generated by Sysprep.exe may be duplicated. If this occurs, you may receive an error message that indicates that duplicate computer names exist on your network.

Problems When Windows 2000 Locale and Computer Name Do Not Match
Microsoft Knowledge Base Article: 248879 - When you change the system locale on your Windows 2000-based computer, and then restart your computer, you may experience one or more of the following symptoms:

Spaces Not Allowed in a NetBIOS Computer Name
Microsoft Knowledge Base Article: 204032 - Although spaces are allowed in NetBIOS computer names in Microsoft Windows NT 4.0, spaces are not allowed in NetBIOS computer names in Windows 2000.

Sysprep Does Not Rename Accounts Containing the Computer Name
Microsoft Knowledge Base Article: 214679 - Some programs may create user accounts that contain the computer name. For example, Microsoft Transaction Server (MTS) creates an MTS

There May Be a Delay in Mapping SIDs to Account Names If the Computer Name Contains More Than 15 Characters
Microsoft Knowledge Base Article: 319819 - When you want to display the ACL by using the standard Explorer.exe user interface, there may be a long delay while the SIDs are mapped to account names. This occurs only if you have set the ACL for local accounts, and if your computer name exceeds 15 characters.

Unable to Change Windows 2000 Professional Computer Name When in Windows NT 4.0 Domain
Microsoft Knowledge Base Article: 244478 - When you try to change the name of a computer running Microsoft Windows 2000 Professional and the computer is a member of a Microsoft Windows NT 4.0-based domain, you cannot do so.

Underscores Are Not Valid for DNS Computer Names
Microsoft Knowledge Base Article: 199011 - Windows 2000 Setup changes underscore characters (_) in server and workstation computer names to dashes (-). This occurs because Active Directory is based on DNS, and underscore characters may not be valid DNS characters.

Use of "&" Symbol in Server Names Causes Logon Scripts to Fail
Microsoft Knowledge Base Article: 142691 - When you install a Domain Controller with the ampersand character (&) in the server name, Microsoft Windows NT clients cannot process logon scripts. You may see a command shell opened with an error message that the specified file was not found.

Windows 2000 Does Not Permit All-Numeric Computer Names
Microsoft Knowledge Base Article: 244412 - Windows 2000-based computers cannot have computer names that consist only of numbers. However, Microsoft Windows NT-based computers can have computer names that consist only of numbers.