Microsoft KB Archive/283771

= HOW TO: Pre-stage Windows 2000 Computers in Active Directory =

Article ID: 283771

Article Last Modified on 10/31/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q283771





IN THIS TASK
SUMMARY
 * Locate Computer Accounts
 * Remove Write Permissions of Authenticated Users from the Default Computer

REFERENCES



SUMMARY
This article describes how to pre-stage computer names for Windows 2000-based computers, as you can in Microsoft Windows NT 4.0, to allow only those computer names to be added to Active Directory.

back to the top

Locate Computer Accounts
To pre-stage computers in a Windows 2000-based domain, you must locate those computer accounts in an organizational unit other than the default container. To do this, follow these steps:
 * 1) Open the default domain controllers policy.
 * 2) Click Computer Configuration.
 * 3) Click Windows Settings.
 * 4) Click Security Settings.
 * 5) Click User Rights Assignment.
 * 6) Double-click Add Workstation to Domain.
 * 7) Click Define these policy settings.
 * 8) Verify that Authenticated users is selected in the Define these policy settings box.
 * 9) Click OK to make the setting active. This allows authenticated users to add workstations to the domain.

After you complete the steps above, you can pre-stage computer accounts in any organizational unit other than the default organizational unit, provided that authenticated users can read from and write to that organizational unit's objects.

back to the top

Remove Write Permissions of Authenticated Users from the Default Computer
It is a good idea to remove Write permissions from the default Computers location for authenticated users. To do this:
 * 1) Right-click the Computers container, click View, and then click Advanced features.
 * 2) Right-click the Computers container, and then click Properties.
 * 3) On the Security tab, click Authenticated users.
 * 4) Remove the Allow Write property. Or, for greater security, remove all of the &quot;Allow&quot; security rights.
 * 5) Click Apply, and then click OK to apply the new security restrictions on the default Computers container.

back to the top

