Machine (Computer) Accounts in AD

[Sabir Ahmedi]

Hi all,
1) I wanted to know what computer accounts in AD are for??

2) Is it mainly used to apply machine policies to the computers?

3) Also, is it a better practice to group the computers and put the machine
accounts in a separate OU or leave it in the OU of the user??

4) Who should be given permissions to add a computer account in AD and why??

Thnx a million,
Sabir.

 

[David Brandt [MSFT]]

Machine accounts are necessary in order to give the object a unique
identifer ID when its created so that it Is unique within the domain, and
also so that the machine and dc/s can negoiate their secure channels with.
A machine can only belong to one domain at any given time.
Leaving them in the default computers container or moving them to other
containers (ou's) is entirely up to you and your needs. Policies are
applied in order of local, site (but not used much), domain, OU. So if a
machine is in an OU then any policy configured to apply a "computer setting"
will then apply to any machines in that container, or policy it will be
applied. Grouping machines into different OU's is fine if you want to have
specific policies applied to only those machines, but many smaller
enterprises probably leave them in the default computers container. You can
apply policies to user/s and computers separately, or put them in the same
OU and set one policy to apply both, but there isn't any "set" way to set
these up. The OS was designed to meet whatever configuration needs
different networks require, so for the most part it just comes down to how
You want to set it up.
There is also a lot of info on the MS web site about doing all of this, and
would encourage you to look it over.

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.