Home > Articles

This chapter is from the book

Administering Computer Objects

Just as Active Directory has a user object for each network user, it has a computer object for each computer in the domain. However, this applies "only" to Windows Server 2003, Windows XP, Windows 2000, and Windows NT computers. Other workstations (e.g., Windows 95 and 98 and non-Microsoft operating systems) that are not using the NT-based integrated security cannot have a computer object.

NDS allows a broader range of workstation types than does Active Directory, which means that you can manage more types of workstations with the help of the directory service.

Also, computer objects are used only for computers that join a domain. If a stand-alone server or workstation will be in a workgroup instead of a domain, it will not be assigned a computer object in Active Directory.

You could categorize computer object properties as either significant or informational, just as we did with user objects. However, the distinction among computer objects is not as clear as it is among user objects, so we don't use these terms with computer objects in this book (short of a couple of exceptions).

The purposes of computer objects are as follows:

  • As inherited from the very first version of Windows NT back in 1993, a computer account ties the workstation or server to the Windows NT/2000/XP/Server 2003 security model.

  • A computer object is a placeholder for properties that help you when you are remotely installing and managing workstations.

  • A computer object is a placeholder for properties that are purely informational.

  • A computer object is a security principal. This means that just as with a user, you can give permissions for resources and assign security group memberships to the computer.

  • The location of a computer object in Active Directory dictates which group policies apply to the corresponding computer.

Computer objects are treated slightly differently, depending on whether they are for domain controllers or for workstations and member servers. Table 3.14 compares the two.

Table 3.14. Comparing Domain Controllers and Other Computer Objects


Domain Controller

Workstation and Member Server

Creation of the object

Automatically while installing Active Directory on the server (using DCPromo).

  • Semiautomatically while joining the computer to the domain.

  • Manually with (a) the Users and Computers snap-in, (b) the DSAdd Computer command, (c) the NetDom tool (part of the Support Tools), or (d) using a script.

Default container of the object

Domain Controllers.


Use of the default location

Probably yes.

Probably not (place the computer objects in OUs instead).

Computer GUID

You cannot set this property.

You may set this property, which helps when using Remote Installation Services and signifies a managed computer.

When you start to manage computer objects, your tasks will include the following:

  • Create computer objects.

  • Set computer object properties.

  • Move, rename, disable, reset, and delete computer objects.

  • Assign Group Policy and permissions, and delegate administrative tasks.

In this chapter, we focus on the first three items in the list. The last item is discussed in later chapters. If you want to try the management tasks discussed in this section, you can create some test computer objects in your test OU. To test all the features, however, you will need some test workstations.

Creating Computer Objects

As Table 3.14 in the previous section implies, computer objects are created in three ways.

  • A computer object for a domain controller is created automatically in the Domain Controllers OU when you install Active Directory on that server by running the Active Directory Installation Wizard (i.e., DCPromo).

  • When you join a stand-alone server or workstation to a domain, either during computer installation or afterward, you have the option to create the computer object. An object created in this way goes to the Computers container.

  • You precreate the computer object manually using one of the four ways listed in Table 3.14. The Users and Computers snap-in way—the graphical choice—is explained next. The DSAdd Computer command is introduced at the end of this chapter.

The second and third items in the list require appropriate permissions or user rights, which are explained in Chapter 4. In short, any forest user can by default join ten workstations to a domain.

You can store the computer objects either in the Computers container or in various OUs in the domain. The latter option allows different OU-based group policies for different computers.

When you right-click the appropriate target OU and select New, Computer, you will launch a three-page or four-page creation wizard, the first page of which you see in Figure 3.18. Here you specify the name for the object, the downlevel name for the computer, and the user or group who can later join the computer to the domain. If the joining computer is running Windows NT, you must select the "pre-Windows 2000" check box. If the joining computer will be a Windows NT backup domain controller, you must select the "backup domain controller" check box.

03fig18.gifFigure 3.18 When you create a computer object, on the first page of the creation wizard you are prompted to specify the name for the object, the downlevel name for the computer, and the user or group who can later join the computer to the domain.

Figure 3.19 shows the second page of the creation wizard. If you use Windows 2000, the pages beyond the first one will appear only if you have installed Remote Installation Services (RIS) to install Windows 2000 Professional computers.

03fig19.gifFigure 3.19 On the second page of the creation wizard you can specify that this is a "managed computer" (to indicate that you will use Remote Installation Services, or RIS, "prestaging" for this computer) and enter the computer's GUID.

Whether you get the additional wizard pages in Windows 2000 or not depends on which computer you are sitting at. For example, if there are two domain controllers in your domain (DC1 and DC2) and you have installed RIS on DC2, you will see the two additional pages if you are sitting at DC2 or any workstation. However, if you are sitting at DC1, you won't see the pages.

Computer manufacturers assign a unique GUID to each computer they sell. If you enter this GUID into Active Directory, it will help RIS to match a certain computer system to a certain computer object.

After you have bought a computer and turned it on for the first time to install Windows 2000 or Windows XP onto it, the RIS service sends the computer's GUID to a RIS server. This way, RIS can locate the correct computer object in Active Directory.

If you selected the "This is a managed computer" option on the wizard's second page, you will see a third page, which is shown in Figure 3.20. The last page displays the summary of your selections, and we don't show this screen.

03fig20.gifFigure 3.20 If you selected the "This is a managed computer" option in the creation wizard's second page (Figure 3.19), you will see a third page that enables you to specify a certain remote installation server. You can use this for load balancing, so that certain client computers (identified by the GUID) install Windows 2000 or Windows XP from a certain server.

The computer GUID shown in Figure 3.19 is not the same as the GUID that each Active Directory object has. Chapter 8 offers more in-depth treatment of object GUIDs.

You cannot specify the computer GUID or RIS server name for an existing computer object using the Users and Computers snap-in if you didn't specify "managed computer" when you first created the object. To edit properties directly, you need to use ADSI Edit or some other means. The aforementioned information is stored in the properties netbootGUID and netbootMachineFilePath.

A computer object has several names, which are listed in Table 3.15.

Table 3.15. Name Properties of a Computer Object



Maximum Length




Computer name

name (RDN) and cn (Common-Name)



Within OU

This becomes the object common name in the tree.

DNS name




In the world

The target computer updates this property automatically.

Computer name (pre-Windows 2000)


256 (schema rule), 20 (SAM rule)


Within the enterprise

This is the downlevel name of the computer, which is also the same as the computer NetBIOS name. Internally, Active Directory stores a dollar sign ($) at the end of the name.

Setting Computer Object Properties

The Users and Computers snap-in shows you about 15 computer object properties, and you can set about 8 of them. Behind the scenes, a computer object may have 280 properties (228 in AD2000.)

Table 3.16 lists the properties in five tabs. We discuss a sixth tab, Member Of, later in this chapter in the "Administering Groups" section, and a seventh tab, Delegation, in Chapter 4. An eighth tab, Dial-in, relates to managing communication settings, so we don't cover it in this book about Active Directory. We don't include screen shots, because they would show just a number of text boxes. Many of the setting names are self-explanatory. Note that Windows Server 2003 also provides context-sensitive help for each of the settings.

Table 3.16. Properties of a Computer Object



Syntax [*]




General Tab

Computer name (pre-Windows 2000)


Text (256 [schema rule], 20 [SAM rule])



This is the downlevel name of the computer, which is also the same as the computer NetBIOS name. Internally, Active Directory stores a dollar sign ($) at the end of the name.

DNS name


Text (2048)






Two choices



Bit 0x2000 indicates a "Domain controller"; bit 0x1000 indicates a "Workstation or server".



Text (1024)




Trust computer for delegation





This setting is described in Chapter 4 in the "Impersonation and Delegation" section. Note that when the domain is on the Windows Server 2003 functional level, this setting appears on the Delegation tab.

Operating System Tab





A read-only text such as "Windows Server 2003."





A read-only text to indicate the normal version, such as "5.2" (Windows 2000 is "5.0", Windows XP is "5.1", and Windows Server 2003 is "5.2"), and the more precise version (i.e., build number), such as "3790."

Service Pack




A read-only text to indicate whether or not you have installed any service packs on the machine, such as "Service Pack 1."

Location Tab



Text (1,024)




Managed By Tab

Managed By


DN; you select a user or contact from a list


The user or contact you select gets no permissions for the computer. This setting is purely informational. The other fields on the tab are the manager's properties. Note that this setting is not related to the "This is a managed computer" check box that you saw in the creation wizard.

Remote Install Tab [**]

Computer's unique ID


Binary (text in the user interface)



Same as the computer's GUID. It helps when using RIS, and it signifies a managed computer.

Remote Installation server





This property specifies the DNS name of the selected installation server.

Server Settings





This button takes you to the properties of the server object.

Other Operations to Manage Computer Objects

Other operations you can do to manipulate computer objects are move, delete, disable, and reset. You can also rename computers or start computer management to manage the computer corresponding to the object.

Moving Computer Objects

If you need to move a computer object from one OU to another, you do it in the same way you move users. When you are moving a computer within a domain, either (a) drag it to a new location with the mouse, (b) use cut/paste with the keyboard or mouse, or (c) right-click the computer, select Move, and then choose the destination from the OU tree that opens up and click OK. Between domains in a forest you use another tool, such as the Support Tools command-line tool MoveTree, which is discussed in Chapter 6.

You can move several sibling objects at once by selecting them in the right-hand pane of the snap-in by using the Shift and/or the Ctrl key.

When you move computer objects

  • Permissions that are assigned for the object being moved move with the object.

  • Group policies and permissions that are inherited from above do not move with the object being moved. Instead, the moved object inherits the policies and permissions from its new location.

Deleting Computer Objects

You delete an object by right-clicking it and selecting Delete or by selecting the object and pressing the Delete key. Because there is no Undo option, a safety mechanism asks you to confirm the deletion.

A computer object is a security principal like a user object. Therefore, if you delete a computer object and then re-create it, the new object doesn't have the memberships or permissions of the old one.

If you delete a computer object, the corresponding computer is no longer part of the domain. Therefore, no one can log on to the computer using a domain user account.

Disabling Computer Accounts

You can disable the computer account by right-clicking the computer object and selecting Disable Account. Doing so will prevent users sitting at that computer from logging on using a domain user account.

You cannot disable a domain controller.

Resetting Computer Accounts

When a Windows NT/2000/XP/Server 2003 computer that is a member of a domain starts, the computer logs on to the domain using the computer account and some password known to the machine. After this, a user sitting at the computer can enter his username and password to log on to the domain.

The aforementioned machine logon sets up a secure channel, which enables the member computer to communicate with a domain controller to exchange user and password information. For example, if the computer account password stored in the local computer (called LSA secret) doesn't match the one stored in Active Directory, authentication to the domain is not possible, and the user will receive an error such as the one shown in Figure 3.21.

03fig21.gifFigure 3.21 If the member computer cannot establish a secure channel with a domain controller, the user receives an error message such as the one shown here and is not able to log on using a domain user account.

An administrator can solve the problem by using the Reset Account context menu item on the corresponding computer object. Resetting a computer account resets its password to the initial value, which is "computername$" (without quotes). In addition, the member computer must be joined to a workgroup and then joined to the domain again.

You can reset a computer account also with the DSMod Computer command and -reset option. In addition, Support Tools includes two command-line utilities, NetDom and NLTest, which you can use to reset computer accounts, among other things.

Managing Computers

When you right-click the computer object and select Manage, the Computer Management snap-in starts and sets the focus to the corresponding computer. This way you can manage its system tools, storage, server applications, and services.

Renaming Computers

You rename a Windows 2000/XP workstation or a Windows 2000/Server 2003 member server using the Control Panel of that computer. Select System, then the Computer Name tab, and finally the Change button. Once you enter a new name and click OK, you are prompted for the name of a domain user who has permission to change the name of the workstation or member server, as well as that user's password.

This operation renames the computer (i.e., the NetBIOS name and DNS name) and changes the common name and the pre–Windows 2000 name of the computer object.

Renaming domain controllers was discussed in Chapter 2.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020