Solved

Active Directory Best Practices with Computer Accounts

Posted on 2008-10-30
4
1,802 Views
Last Modified: 2012-05-05
I have read some knowledge base answers that address this, but not quite as fully as I need. So here is our situation: We have a pretty large number of computers in our domain (3000 +) and Active Directory is constantly outdated because computers are not removed from the Domain correctly. Sometimes this is because of circumstances out of our control (major system crashes) other times it is simply because it is quicker to just re-image computers without removing them from the domain.
The resultant dissarray in AD is the cause for many other applications having unreliable information (such as our antivirus database) which makes it very hard to tell if the computers not getting updates are real or simply phantom accounts long ago abandoned. I know I can do queries about when a computer was last updated, but a very large percentage of our computers are laptops which may or may not have connected within a period of time.
Currently we add computers to the network as we image them, rather than pre-populating AD with names. I need to know some information about doing it the other way. Can I setup AD so only pre-named computer accounts can be used? How do we use those accounts? Previously when we have tried it that way we have gotten errors that "The computer name already exists in the domain." How do we re-use the name when we re-image the computers? (This happens pretty frequently, especially with our mobile computers) I have seen that you can reset computer accounts, but I have never been successful in adding a new computer with a name that is already in AD on a consistant basis. Any help on how this is supposed to work would be great!
0
Comment
Question by:TechInTheWoods
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 22862888
The first thing to do would be create an OU for your Computer accounts (or multiple OUs) - so that the Computers container (the default one) is never used.  Remove permissions from the Computers Container so that ONLY Domain Admins have rights to add Computers to it.

Next, delegate the proper permissions to the other OUs to add, modify and delete User and Computer accounts using one or more Security Groups.  By doing this, you cannot add computers to the domain from the workstation unless you are a Domain Admin - this will force pre-creation of the computer account in the proper OU before you can add it to the domain.

As far as why you get errors when a computername is pre-created and then you attempt to use it from a workstation - I don't know.  The only way you'd get an error is if the name is in use by another workstation, but not simply by creating it first.

When you reuse a name that already was previously used simply right click the computer name and select Reset account.  This will clear all associations with the object in AD and allow you to re-use it.

0
 

Author Comment

by:TechInTheWoods
ID: 22869649
"As far as why you get errors when a computername is pre-created and then you attempt to use it from a workstation - I don't know.  The only way you'd get an error is if the name is in use by another workstation, but not simply by creating it first."

Could this happen because the computers are not properly removed from the domain prior to being re-imaged?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 22873011
No.

Reimaging a workstation before removing it from the domain isn't an issue.  Reset the computer account in AD to reuse it.

0
 

Author Comment

by:TechInTheWoods
ID: 22952271
Thanks for the guidance on the AD Best Practice. I would still like to know what could cause the issue of not being able to re-use a computer account in AD (Yes, even AFTER it has been reset) but this is good knowledge for configuration, so I will award the points based on that.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Here's a look at newsworthy articles and community happenings during the last month.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question