System admins often need to add computers to an Active Directory (AD) domain. This article details the four methods that Microsoft provides to add a computer object. It also explains how to modify a computer’s attributes, as well as how to move, delete or reset a computer.
Creating Computer Objects in Active Directory
Microsoft provides four ways to add a computer object to Active Directory:
- Active Directory Users and Computers (ADUC)
- Active Directory Administrative Center (ADAC)
- Dsadd.exe
- PowerShell
Adding a Computer to Active Directory using ADUC
To add a computer to Active Directory using ADUC, log into the local administrator account, open ADUC and take the following steps:
- Open Server Manager. In the top-right menu, click Tools and then select Active Directory Users and Computers from the drop-down list.
- In the left pane, expand the domain. Right-click on the Computer container and select New > Computer.
- In the New Object – Computer wizard, enter the name of the new computer. The Computer name (pre-Windows 2000) field will be automatically populated.
- In the User or Group field, click Change and select the user or group who should have access to the computer.
- Click OK.
Creating Computer Objects using ADAC
ACAC offers a wizard that provides a lot more options than ADUC. To add computer to Active Directory using ADAC, take the following steps:
- Right-click on the computer container or another OU where you want to create the computer object. Choose New from the task list and select Computer.
- In the Create Computer wizard, specify a name for the computer. The Computer (NetBIOS) name field will be filled in automatically.
- If desired, select the Protect from accidental deletion checkbox.
- Click Change and select the user or group who should have access to the computer..
- If you need to assign a manager to computer, click the Edit button in the Managed By section and select the appropriate user.
- If you want to add the computer to any security groups, click Add in the Member Of section and select the groups.
- Click OK.
Creating Computer Objects using Dsadd.exe
You can easily create multiple objects by running a batch file of Dsadd.exe commands that each specify the distinguished name of a computer object to be created. The syntax is:
dsadd computer <ComputerDN>
Creating Computer Objects using Windows PowerShell
The fourth way to create computer objects is to use Windows PowerShell. The cmdlet New-ADComputer creates computer objects. The syntax is as follows:
new-ADComputer -Name -path
Note that this cmdlet creates a computer but does join it to a domain.
Modifying Computer Objects
Properties of Computer Objects
Each type of AD object has a set of attributes. For computer objects, the attributes you can modify include:
- Name — The name assigned to computer object
- Password — The computer’s password
- Location — Location of the computer object
- Member Of — The OUs and security groups that the computer is a member of
- Managed By — The user who manages the computer
Note that there are attributes you cannot modify, such the unique identifiers SID, CN and SAMAccountName.
You can modify computer objects using either ADUC or PowerShell.
Modifying Computer Objects using ADUC
To use ADUC to modify a computer object, take these steps:
- Right-click on the desired computer object and select Properties from the menu.
- In the Computer Object Properties dialog box, make any required changes in the various tabs.
- Click Apply and then click OK.
Modifying Computer Objects using PowerShell
You can also use the PowerShell cmdlet Set-ADComputer to modify attributes of AD computer objects. For example, to modify the location of the computer USER01-SRV1, use the following command:
Set-ADComputer -Identity "USER02-SRV1" -Location "NA/HQ/Building A" To modify both the Location and Managed By attributes of that computer, use the following script: $Comp = Get-ADComputer -Identity "USER04-SRV1" $Comp.Location = "NA/HQ/Building A" $Comp.ManagedBy = "CN=SQL Administrator 01,OU=UserAccounts,OU=Managed,DC=USER04,DC=COM" Set-ADComputer -Instance $Comp
Moving Computer Objects
The default location for a newly created computer object is the Computers container, which is not an organizational unit (OU). To manage a computer using Group Policy settings, you need to move it to an OU.
Note that all permissions directly assigned to the computer will move with it. However, any rights inherited from its former OU do not move with it. Instead, it will inherit permissions and Group Policies from its new location.
To move a computer using ADUC, take the following steps:
- Under the domain, click the Computers container.
- In the right pane, right-click on the computer you want to move and select Move from the context menu.
- In the Move dialog, select the OU that you want to move the computer object to, and click OK.
Deleting Computer Objects
To delete a computer object:
- Open ADUC and find the desired computer object.
- Right-click on the computer and click Delete.
- Confirm the deletion request.
The deletion operation cannot be undone. While you can create a similar new computer object, it will not have the permissions and attributes of the old one.
Resetting Computer Objects
If a computer’s secure channel fails, you need to break its connection to the domain and then join it again. To reset a computer, take these steps:
- Open ADUC and find the desired computer object.
- Right-click on the computer and select Reset Account.
