the domain, data is retrieved from the computer that is added to the account.This includes such
facts as the operating system installed on the machine, the version of the operating systems, and
other relevant information.
Creating Computer Accounts
by Adding a Computer to a Domain
Computer accounts can be created when adding a computer to a domain. Computers can be added
to a domain by using the same dialog box you use to change the computer’s name. On a Windows
2000 Professional machine, this is done on the Network Identification tab of the System Properties
dialog.To access this dialog, you can right-click the My Computer icon located on the desktop,
and select Properties on the context menu.You can also access this dialog by double-clicking the
System icon in Control Panel. Once the System Properties dialog appears, click the Properties
button on the Network Identification tab.
As shown in Figure 10.31, the dialog box that appears after clicking the Properties button allows
you to modify the name of the computer, and choose whether the computer is part of a workgroup
or domain.The Member Of section provides two options.The Domain option enables a text box
that allows you to provide the name of a domain this computer will join.The Workgroup option
enables a text box that allows you to provide the name of a workgroup this computer will join. At any
time, the computer can be switched from being a member of a workgroup or domain. If the computer
is joining a domain where a computer account doesn’t exist for this machine, then the Computer
name field is used to specify the new Active Directory account’s name.
After entering the name of a domain this computer will join, click the OK button.The com-
puter then proceeds to connect to a DC for the domain you are attempting to join, and if it finds
one, a dialog box will be displayed asking you for the username and password of an account per-
mitted to add workstations to the domain. Once this information is provided and you click OK, the
416 Chapter 10 • Working with User, Group, and Computer Accounts
Figure 10.31 Identification Changes Dialog Box
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 416
username and password you provided will be authenticated and (if the user account has the neces-
sary privileges) the workstation will be joined to the domain. If a computer account already exists
for the computer, then data is retrieved and the account is updated. If no account exists, the account
is created.

Creating Computer Accounts
Using Active Directory Users and Computers
Computers can also be created using Active Directory Users and Computers. Right-click on the
container or OU that you want to create the object in, and select New | Computer. Alternatively,
you can select the container or OU in which you want to create the computer account, and then
click Action | New | Computer. A dialog box similar to the one shown in Figure 10.32 will
appear.
The first field on this screen is used to identify the computer.The Computer name text box
is used to specify the name that you want this computer account to be called in Active Directory.
This will be the RDN of the computer.The Computer name (pre-Windows 2000) text box is
where you would enter the NetBIOS name of this computer, which older operating systems will
use when connecting to this computer. As mentioned before, the NetBIOS name of a computer can
be up to 15 characters in length. When you enter a value in the Computer name text box, a
NetBIOS name will be suggested based on the first 15 characters of the Computer name field.
However, this can be changed to another name.
Below this is a field that states which user or group can join the computer to the domain. As we
saw in the previous section, when the computer is added to a domain, a username and password of a
user account with the necessary rights is required. By default, the Domain Admins group has this
ability, but this can be changed.To specify another user or group, click the Change button and
enter the name of the user or group that should be given this privilege.The selected user or group
will appear in the User or group field of this screen.The final options on this screen deal with
Working with User, Group, and Computer Accounts • Chapter 10 417
Figure 10.32 New Object – Computer Dialog Box
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 417
older machines in a domain.The Assign this computer account as a pre-Windows 2000
computer designates that this machine is running an older operating system, such as Windows NT.
The Assign this computer account as a backup domain controller specifies that this is a
Windows NT BDC. Only Windows NT and newer operating systems can have accounts in Active
Directory.
The remaining screens require little input. Click the Next button to continue to the screen that

allows you to specify whether the computer is managed.A managed computer is a Remote
Installation Services (RIS) client. If the This is a managed computer check box is checked, you
must then enter the client computer’s globally unique identifier (GUID). After providing this infor-
mation and clicking Next, a screen will appear that offers the following options:
■
Any available Remote Installation Services (RIS) server, which specifies that any
RIS server can provide remote installation services to this computer.
■
The following RIS server, which specifies that only designated RIS servers can service
this computer.
While the screen with these RIS options will appear if the computer is managed, this will not
occur if the This is a managed computer check box isn’t checked. Upon clicking Next,you
proceed to the final summary screen, which you can review before creating the computer account.
As shown in Figure 10.34, this screen informs you of what the computer will be called in Active
Directory, and other information on options you chose during setup. Click the Finish button on
this screen to close the wizard and create the account.
418 Chapter 10 • Working with User, Group, and Computer Accounts
Figure 10.33 Managed Screen of New Object – Computer
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 418
Creating Computer Accounts Using the DSADD Command
As was the case with users and groups, computer accounts can also be created using the DSADD
command.The command-line method can be used in scripts to automate the addition computer
objects to Active Directory.You can use the DSADD command to create computer objects using
the following syntax:
DSADD COMPUTER ComputerDN
In using this command, ComputerDN specifies the DN of the computer that’s being added.This
provides information on where in the directory structure this account will be created. However, this
isn’t the only parameter that’s available for DSADD. As shown in Table 10.5, each of these parame-
ters provides different information that is used to set up the account.To use additional options, the
following syntax can be used:

dsadd computer ComputerDN [-samid SAMName] [-desc Description] [-loc
Location] [-memberof GroupDN ] [{-s Server | -d Domain}] [-u
UserName] [-p {Password | *}] [-q] [{-uc | -uco | -uci}]
Table 10.5 DSADD Parameters for Creating Computers
Parameter Description
-samid SAMName Specifies the NetBIOS name used by pre-Windows
2000 computers.
-desc Description Specifies a description to be used for the account.
-loc Location Specifies the location of the computer.
-memberof GroupDN Specifies the groups that this new computer account
will be a member of.
Working with User, Group, and Computer Accounts • Chapter 10 419
Figure 10.34 Final Screen of New Object – Computer
Continued
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 419
Table 10.5 DSADD Parameters for Creating Computers
Parameter Description
{-s Server | -d Domain} Specifies a connection to a remote server or domain.
By default, the computer is connected to the DC in
the domain that the local user is logged on to.
-u UserName Specifies the username to use when logging on to a
remote server. By default, the username that the user
logged on to the local system with is used. The fol-
lowing formats can be used for the UserName variable:
Username
Domain\username
User principal name
-p {Password | *} Specifies the password to use when logging on to a
remote server. If an asterisk (*) is used, you will be
prompted for a password.

-q Specifies quiet mode, and suppresses output
{-uc | -uco | -uci} Specifies Unicode to be used for input or output. If
–uc is used, then input or output is to a pipe (|). If
–uco is used, then output is to a pipe or file. If –uci is
used, then input is from a pipe or file.
Managing Computer Accounts
As seen previously, accounts can be administered through the properties of the object, which can be
accessed using Active Directory Users and Computers.To view the properties, select the object and
click Action | Properties.You can also right-click on the object, and select Properties from the
context menu. Using either method, a dialog box with nine tabs will be displayed.
The General tab of a computer account’s properties allows you to view common information
about the computer, as seen in Figure 10.35.
420 Chapter 10 • Working with User, Group, and Computer Accounts
Figure 10.35 General Tab in the Properties of a Computer Account
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 420
As shown in Figure 10.36, the Operating System tab provides information about the oper-
ating system running on the computer that has joined the domain.The Name field provides the
name of the operating system, Version provides the version of the operating system, and Service
pack displays the service pack level that has been applied to the operating system.These values are
retrieved from the computer and can’t be modified.
The Member Of tab shown in Figure 10.37 displays existing group memberships for this com-
puter and allows you to add the computer to groups in Active Directory. By default, it will be a
member of the Domain Computers or Domain Controllers group depending on its network role.
The computer account can be made a member of other groups by clicking the Add button.To
remove the computer from a group, select the group in the list and click the Remove button.
Working with User, Group, and Computer Accounts • Chapter 10 421
Figure 10.36 Operating System Tab in the Properties of a Computer Account
Figure 10.37 Member Of Tab in the Properties of a Computer Account
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 421
At the bottom of this tab is a section that allows you to set the primary group to which the

computer belongs. By default, computers are made a member of the Domain Computers group,
which is displayed in the Primary group field on this tab.To change the primary group, you could
use the Set Primary Group button, but this generally isn’t required. Primary groups are used by
Macintosh computers and POSIX-compliant applications, and aren’t required by other operating
systems or applications.
The Delegation tab shown in Figure 10.38 is used to control whether services can act on behalf
of another user from this computer. Using this tab, you can specify that the account can be used by
specific services. By using the account’s credentials, they are able to impersonate the account.This
tab has three options relating to delegation:
■
Do not trust this computer for delegation The default value, and doesn’t allow the
computer to be used for delegation.
■
Trust this computer for delegation for any service (Kerberos only) Allows any
service to use the computer providing Kerberos is used.
■
Trust this computer for delegation to specified services only Only allows the ser-
vices you specify to use the computer for delegation.
When the final option is selected, two additional options become available: Use Kerberos only
and Use any authentication protocol. Use Kerberos only specifies that delegation can only be
performed if Kerberos is used for authentication, while Use any authentication protocol allows
any protocol to be used.
In addition to these options, the two buttons at the bottom will also be enabled.The Add
button can be clicked to open a dialog that allows you to specify the services that can use the com-
puter for delegation.This dialog is shown in Figure 10.38. By clicking the Users or Computers
button, another dialog box will open, allowing you to specify the user or server that has these ser-
422 Chapter 10 • Working with User, Group, and Computer Accounts
Figure 10.38 Delegation Tab in the Properties of a Computer Account
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 422
vices associated with them.This will populate the Available Services field on this screen. By

selecting services in this listing or alternatively clicking Select All, the selected services are dele-
gated for the user or computer accounts selected. By selecting a service from this list and clicking
the Remove button, a selected service is removed from being able to use this computer.
The Location tab of Computer Properties allows you to provide information on the location
of the computer within the organization.This tab has a single text box that allows you to enter a
location name, and a button labeled Browse. If no locations are available to select using browse, the
Browse button will be grayed out.
The Managed By tab is similar to the tab we saw earlier in Figure 10.28 when we discussed
group accounts.
The Object tab provides information about the object, and is similar to the tab we saw in
Figure 10.29 when discussing groups.
The Security tab is similar to the one in Figure 10.30 that we saw when discussing group
accounts.This tab is used to configure the permissions that other accounts have in Active Directory
for this computer object.
The final tab in a computer’s properties is the Dial-in tab.This tab is similar to the one we saw in
Figure 10.19 when we discussed user accounts. It allows you to configure settings that are used when
the computer attempts to connect to the network remotely using a dial-up or VPN connection.
Managing Multiple Accounts
So far, we’ve discussed how you can use tools for Active Directory to create and manage individual
objects. In addition to creating and modifying user accounts, computer accounts, and group
accounts, you can also perform actions that affect large numbers of accounts at once. Next, we’ll
look at how you can manage UPNs, move objects, and how to troubleshoot problems that might
result when working with accounts in Active Directory.
Working with User, Group, and Computer Accounts • Chapter 10 423
Figure 10.39 Add Services Dialog
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 423
Implementing User Principal Name Suffixes
As discussed earlier in this chapter, User Principal Names (UPNs) consist of a logon account name
and UPN suffix, which is connected together with an @ symbol. When combined they often look
just like an e-mail address, and can in fact be used by programs to send messages to Active Directory

accounts.The UPN is used when logging on to Windows 2000 and Windows Server 2003 domains
from Window 2000 or later clients.
In Active Directory, alternative UPN suffixes can be created, so the user can log on using a
UPN suffix that is different from the name of the domain in which their user account resides. For
example, if a user had to log on to a domain with an exceptionally long name, you could provide an
alternate UPN suffix as part of the user’s UPN. In doing so, the UPN is simplified, making it easier
for users to enter it when logging on.
To add a UPN suffix, you must have the appropriate rights. UPN suffixes can only be added by
a member of the Domains Admins group in the forest root domain, a member of the Enterprise
Admins group, or a user or group that has been delegated the proper authority.
Adding UPN suffixes is done with the Active Directory Domains and Trusts console. It can also
be started through MMC, by adding the Active Directory Domains and Trusts snap-in. Figure
10.40 shows the Active Directory Domains and Trusts Properties dialog box.
Use the following steps to add and use alternative UPN suffixes.
Add and Use Alternative UPN Suffixes
1. From the Windows Start menu, select Administrative Tools | Active Directory
Domains and Trusts.
2. When the Active Directory Domains and Trusts console appears, select Active Directory
Domains and Trusts from the console tree.
424 Chapter 10 • Working with User, Group, and Computer Accounts
Figure 10.40 Active Directory Domains and Trusts Properties Dialog Box
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 424
3. From the Action menu, select the Properties menu item.
4. When the Active Directory Domains and Trusts Properties dialog box appears, click in the
Alternative UPN suffixes text box, and, enter the alternative UPN suffix you want to
use (for example, eu.syngress.com).
5. Click the Add button.The listing should now appear in the lower pane.
6. Click OK to finish and close the Active Directory Domains and Trusts utility.
7. From the Windows Start menu, select Administrative Tools | Active Directory Users
and Computers.

8. When Active Directory Users and Computers opens, expand the console tree and then
expand your domain. Once this is done, select the TestOU container.
9. In the right pane, select the Jane Doe user that you created previously.
10. From the Action menu, select the Properties menu item.
11. When the Properties dialog box for the Jane Doe user account opens, select the Account
tab.
12. In the User logon name field, use the drop-down list to select the new UPN suffix for this
user.
13. Click OK to save the change and exit.
Moving Account Objects in Active Directory
Windows Server 2003 provides a number of tools that allow you to move objects within domains
and between them.The tools that can be used for moving objects include Active Directory Users
and Computers, and two command-line utilities.As we’ve seen,Active Directory Users and
Computers is an MMC snap-in that allows you to interact with Active Directory through a graph-
ical interface.The DSMOVE and MOVETREE are command-line tools that allow you to move
objects by entering textual commands at the command prompt. In the sections that follow, we will
look at these tools, and see how they can be used to move objects within and between domains.
Moving Objects with Active Directory Users and Computers
Active Directory Users and Computers can be used to move user, computer, and group accounts to
other locations of the directory. With this tool, objects can be moved within a domain. It can’t,
however, be used to move objects to other domains.
Active Directory Users and Computers is the only tool that allows you to move accounts using
a GUI. Because it’s a graphical tool, you can move Active Directory objects using your mouse. Select
an object by holding down your left mouse button, drag the object to a different container or OU,
and release the left mouse button to drop it into the new location.
In addition, you can also move objects within the directory by right-clicking on the object, and
selecting Move from the context menu.A dialog box will appear asking you to choose the con-
tainer or OU the object should be moved to. As seen in Figure 10.41, the Move dialog box displays
Working with User, Group, and Computer Accounts • Chapter 10 425
301_BD_W2k3_10.qxd 5/12/04 12:28 PM Page 425