No announcement yet.

Computer Account Automatic Creation

  • Filter
  • Time
  • Show
Clear All
new posts

  • Computer Account Automatic Creation


    I built a new domaing with a seperate OU hierarchy (i don't want to use the default Containers).

    i wrote a script to create comptuer accounts in sevrel ou's and the script created the computer accounts just fine, but for some reason, when i try to add a workstation with a compliant computer name to the domain, the AD creates a Computer Account Object under "Computers" container with the same ComputerName and SamAccountName with "$" at the end of the name (allthough an exisiting Computer Account already exists in the proper OU).

    whenever i create the accounts manualy, and do the same action, everything works just fine.

    in addition (and in relation) to that, i want to disable the option of being able to add workstation to domains with creating a Computer Account (and letting the Account Object be created automaticly when you add the workstation/server to the domain). I want that copmuters will only be allowed to be added to my domain if they already have an existing computer account in the domain.

    the solution I already tried was changing "msMachineAccountQuata" Prperty in the Domain properties (using ADSI Edit) to 0 (instead of the Default "10"), but when I did that, I couldn't insert any computer account to the domain, even if the computer account already exits in the domain.

    will appritiate any advice that might help in these matters.
    Yaniv Feldman
    Microsoft Security Regional Director
    Microsoft Management Expert

  • #2
    I guess you have used a script and have not added a trailing "$" at the end of the sAMAccountName attribute value.

    A sample script to create a computer account would look like this:

    Const ADS_UF_PASSWD_NOTREQD = &H0020
           'Add the computer object
           Set objComputer = objContainer.Create("computer", "cn=" & strComputerName)
           'Update attributes of the new object
           objComputer.Put "sAMAccountName", strComputerName & "$"
           objComputer.Put "userAccountControl", ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT
           'Commit the changes we've made
           If Err.Number <> 0 Then
             Wscript.Echo "Unable to create computer " & strComputerName & ". Does it already exist?"
           End If
    If I am wrong, please attach the script you used to create the computer accounts (I have noticed you opened a new topic in Scripting forum, so please post it there).

    As for creating computer accounts in AD there are 2 places you need to look:

    (1) msMachineAccountQuata attribute you have mentioned. Setting this one to "0" should prevent from users to create computer objects in AD unless (2)

    (2) Even if msMachineAccountQuata is set to "0", the user can create computer accounts in AD if he has been delegated the right to create computer objects.
    By Default Domain Controllers Policy has "Add workstations to domain" right set to "Authenticated Users " resulting in anyone being able to add up to 10 (see section 1) computers to domain.
    The common practive is to revoke this right (change the setting in the GPO) and perform a per-OU delegation by granting "Create computer objects" permissions on a specific OU (by default, Administrators, Domain Admins, Enterprise Admins and Account Operators have the right unless you altered defaultSecurityDescriptor of organizationlUnit object class in the schema).
    The delegation can be also performed at the domain level (delegate this right on the domain object).

    Also I suggest you to turn on the auditing on DCs - this will give you the option to see the errors in the DCs event logs in case of failure.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3

      Will try that one tomorrow.

      just out of curiosity, why do i need to add the "$" sign?
      what does it say ? what does it relate/refer to ?
      Yaniv Feldman
      Microsoft Security Regional Director
      Microsoft Management Expert


      • #4
        I can only guess, but I believe that this was Microsofts way to enable creation of computer accounts with the name of an existing user account.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"