Microsoft KB Archive/222582

= Machine Account Security After Upgrade from Windows NT 4.0 =

Article ID: 222582

Article Last Modified on 2/24/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q222582



SUMMARY
This article describes the security on domain machine accounts before and after an upgrade to Windows 2000. This information can be used in troubleshooting permissions on machine account objects in the Active Directory and determining which user created the machine account before the upgrade.



MORE INFORMATION
The Discretionary ACL (DACL) contains Access Control Entries (ACE) that define permissions on a given object. In Microsoft Windows NT 4.0, when a machine account is created, the domain Administrators local group becomes the owner of the machine account. The user who created the machine account is stored as part of its data, and the DACL on the machine account includes limited rights for the user (such as deleting the account).

When an upgrade to Windows 2000 is performed, the following changes occur on each computer account:

 A machine account object is created in the default Computers container. The user who created the machine account becomes the owner of that account object in the Active Directory. The DACL on the machine account is reset to the default that is defined for objects of the Computer class in the schema. This DACL includes an entry for Creator Owner, and when viewed with ACL Editor, displays the name of the appropriate user. Note that other ACEs can be present if users or groups are added or permissions changed on parent containers in the Active Directory, resulting in additional inherited permissions.

Self:

Create All Child Objects

Delete All Child Objects

Authenticated Users:

Read

Read Public Information

System:

(Full Control)

Creator Owner:

(Full Control)

Domain Administrators:

(Full Control)

Cert Publishers:

(no permissions)

Enterprise Administrators (inherited permission):

Read

Write

Create All Child Objects

Change Password

Receive As

Reset Password

Send As

Read Public Information

Write Public Information

Account Operators:

Full Control

Print Operators:

(no permissions)

Everyone:

Change Password



The default DACLs listed above also apply to new machine accounts.

Keywords: kbinfo kbnetwork KB222582

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.