Sunday, March 14, 2010

How to ensure client computers are not left in an unmanaged state after joining a domain

When you join a Windows computer to a domain, by default the computer account for the computer gets placed into the Computers container. Unfortunately the Computers container is not an organizational unit (OU) so you can't link a Group Policy Object to it, and as a result computers that join a domain like this are placed into an unmanaged state, which might contravene your company's security policy.

The solution is to pre-stage your computer accounts by pre-creating these accounts within an OU that has a GPO linked to it to enforce policy. Just use Active Directory Users and Computers to create computer accounts in the OU that have the same names as the computers that you will be joining to the domain. Then, when each computer joins the domain, it will check whether a pre-staged computer account is present, and if it is then it will use that computer account instead of creating one within the Computers container

No comments: