Adding Workstations to a Windows 2000 Domain
Installation of new workstations in a Windows NT 4.0 domain requires level of privileges sufficient for creating new computer accounts in the domain controller's Security Account Manager database. This right is granted by default to the Domain Admins which membership, in most cases, is carefully guarded. In order to allow support groups responsible for new installations to be able to perform their tasks, the "Add workstations to domain" user right is typically used.Marcin Policht's latest article addresses several workarounds for an Active Directory issue in Windows 2000 that limits the installation of new workstations in a domain.
If you follow the same approach after you migrate your domain controllers to
Windows 2000, you might be in for a surprise. Your setup will initially work,
but fairly quickly during the process of creating new computer accounts in
Active Directory, you will receive the following message:
"Your computer could not be joined to the domain. You have exceeded the
maximum number of computer accounts you are allowed to create in this domain.
Contact your system administrator to have this limit reset or increased."
This behavior is intentional. Since the method based on the "Add workstations
to the domain" user right bypasses checks against Access Control List, Microsoft
decided that Active Directory provides a far better mechanism from the perspective of
security. The old functionality is still preserved, but seriously limited --
namely it allows only for adding the first 10 computer accounts based on the "Add
workstation to the domain" user right. Windows 2000 recommended procedures are
documented in Microsoft Knowledge Base article Q251335. In short:
New computer accounts can be pre-created (using Active Directory Users and Computers tool).
The creation of new accounts can be controlled by assigning permissions on containers storing computer accounts. These permissions can be set on a specific Organizational Unit or the default Computers container. Keep in mind, however, that in the first case, you will have to use a tool such as NetDom in order to join a workstation to its target domain.
Finally, the artificially imposed limit of 10 computers per non-administrative account can be changed. This involves modifying one of Active Directory attributes.
There are several ways of accomplishing the goal using the third method. The KB article lists two:
The first involves using the LDAP tool, which is part of the Windows 2000 Resource Kit (you can find it on the Windows 2000 installation CD in the Support folder).
The second uses scripting with ADSI for modification of the Active Directory ms-DS-MachineAccountQuota attribute, used by samDomain and domainDNS classes. Its value controls the number of new workstation accounts that can be added to a domain. Here is a sample script:
Option Explicit On Error Resume Next Dim adsRootDSE, strDomainDNS, objDomainDNS, strADsPath, intQuota Set adsRootDSE = GetObject("LDAP://rootDSE") strDomainDNS = adsRootDSE.Get("defaultNamingContext") strADsPath = "LDAP://" & strDomainDNS Set objDomainDNS = GetObject(strADsPath) intQuota = objDomainDNS.Get("ms-DS-MachineAccountQuota") WScript.Echo "Current value of " & Chr(34) & "Add Workstations to Domain" & _ Chr(34) & " limit: " & intQuota intQuota = InputBox("Enter new limit", "New Quota Limit", intQuota) If intQuota <> "" AND (IsNumeric(intQuota) and Abs(CInt(intQuota)) <> 10) Then objDomainDNS.Put "ms-DS-MachineAccountQuota", Abs(CInt(intQuota)) objDomainDNS.SetInfo If Err.Number = 0 Then WScript.Echo "New value of " & Chr(34) & "Add Workstations to Domain" & Chr(34) & " limit: " & intQuota Else WScript.Echo "Problem changing the quota limit: " & Err.Description End If End If
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...