Re: [ActiveDir] Upgrading computers and computer objects
On Mon, Dec 29, 2003 at 10:01:53AM -0600, Rich Milburn wrote: > Just tried it, XP SP1 on a 2003 domain, Network Identification, switched > from domain member to workgroup member: > > Enter the name and password of an account with permission to remove this > computer from the domain. > > User name: > > Password: > > This is while logged in as a domain admin. It seems to be fairly new > behavior, I can't recall if AD 2000 did this or not. It might be an XP > thing. AD 2000 does this, but probably after some Service Packs, because I've done this on Windows 2000 box too. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Upgrading computers and computer objects
Hello. I am offering slightly different info/experience. Both because I am serious and because I like to take up unpopular stands. :o) If you have printer or MQ objects or other objects hanging off the computer object either delete the object and all subobjects or remove the subobjects. For just a plain jane stanalone computer object I see nothing wrong with resetting the password on the account and rejoing. In fact that is a very common practice in our company for Dev server accounts because there are only 3 people in the entire company that can create the server computer objects in the right place and if a server account pops up someplace else we promptly "jail" it. We create the accounts with some delegated rights for join (one of which allows password reset) to some given domain local group. When the people in that group need to rebuild the machine they rebuild it, reset the password on the account, and then rejoin. We have developer machines that have had this done hundreds of times. There is a lot of chatter concerning the computer's SID. The SID of the computer and the SID of the computer object are NOT the same. I am not positive that the computer maintains a copy of its domain SID on itself though I expect it may (Does Mark Russinovich watch this list at all? He would know.). Irregardless they are separately created and maintained. This is easy to see, dump the sid of the computer object which will have the domain sid (adfind -gc -b -f name=machinename objectsid) and then dump the sid of the machine (sideways method is to use getsid to get the sid of an account and strip off the last security identifier field like -500 or -501). Look at them, they are different. C:\WINDOWS>adfind -gc -b -f name=mainpro objectsid AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003 Using server: w2kasdc1.joehome.com dn:CN=MAINPRO,CN=Computers,DC=joehome,DC=com >objectSid: S-1-5-21-1275210071-789336058-1957994488-218311 1 Objects returned C:\WINDOWS>getsid \\mainpro guest \\mainpro administrator The SID for account MAINPRO\guest does not match account MAINPRO\administrator The SID for account MAINPRO\guest is S-1-5-21-1220945662-1682526488-1060284298-501 The SID for account MAINPRO\administrator is S-1-5-21-1220945662-1682526488-1060284298-500 C:\WINDOWS> SID1: SID of computer object is S-1-5-21-1275210071-789336058-1957994488-218311 SID2: SID of computer itself is S-1-5-21-1220945662-1682526488-1060284298 SID1 != SID2 As for the removing the account from the domain when unjoining. This doesn't occur as I think has been worked out. At most I have seen it disable an account though even that isn't always done depending on what the context of the user is that does the unjoin. If the user doesn't have permissions to write the computer's useraccountcontrol she wouldn't be able to disable the account. Hope that helps out. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi Sent: Sunday, December 28, 2003 8:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Upgrading computers and computer objects I'm curious what is the best practice or recommended way for the following case: I have several computers that are joined to the domain, and I'm going to upgrade some of thse computers with a different computer (newer), though the UNC name of these computers will remain the same. Should I: 1. Remove the old computers from the domain, install the new computers, and join them to the domain? 2. Since there are several computers, can I just delete the corresponding computer objects in the ADUC, install the new computers, and join them to the domain? 3. Just put the new computers in place, and join them with the same name? So far, I'm doing the second way, because I think it is the cleanest way. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Upgrading computers and computer objects
Rich, I suspect it's not the SID it's looking at. It's more likely the GUID. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory LAN Administration - Windows 2000 West Corporation [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, December 29, 2003 10:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Further info... after #9 on XP, I removed, rebooted, and then added it back under a different name that happened to already exist. It told me that it already existed, and it added it back with the same name it had before. I'm pretty sure the name that exists is simply for a VM that I rebuilt with RIS without removing the computer account. So perhaps it's checking the computer's SID and if it's the same one, it allows the computer to be added back under the same name. Perhaps resetting the account allows you to add a new SID under that name without deleting and re-adding the computer account in AD? Rich -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 10:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Yeah that's what I usually do. I went through the process with Win2K and WinXP just now. Here is what I found: Win2K - 1) logged on as domain admin, 2) moved to workgroup - silently succeeded 3) did not notice if account was disabled. 4) Rebooted, logged in as local admin, 5) added it back to the domain, same computer name, 6) it asked me for authorized login info to add account, succeeded. 7) Rebooted, logged in as local admin, 8) moved back to workgroup, it told me: This computer was disjoined from the domain "DOMAIN.COM", but the computer account could not be disabled. You should contact your network administrator with this information. 9) Rebooted, joined back to domain with same computer name, no problems. WinXP - 1) logged on as domain admin, 2) moved to workgroup, asked me for authentication, which I gave without specifying domain, 3) checked ADUC and computer account was disabled but not deleted. 4) Rebooted, logged in as local admin, 5) added it back to the domain, same computer name, 6) asked me for authorized login info to add account, succeeded. 7) Rebooted, logged in as local admin, 8) moved back to workgroup, asked me for credentials, succeeded. 9) Rebooted, joined back to domain with same computer name, no problems. It seems that the only difference is that Win2K does not ask for credentials and either silently succeeds or it fails to disable the account. XP asks for credentials. What's the point in disabling the account? Not sure. What does a reset gain you? Not sure there either, because I never once deleted the computer name or reset it before adding the computer back to the domain with the same name. Granted, the computer NIC and IP and etc was the same so maybe it checks that before allowing you to add back with an existing name. But NT4 didn't allow that, you had to delete the account first (and sync with the PDC!) Rich -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 10:05 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Upgrading computers and computer objects Wow. Never saw that before. I'll have to play with my crashbox a bit later. Maybe its just because I usually rebuild the box then worry about the domain account later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rich Milburn [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 11:02 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > Just tried it, XP SP1 on a 2003 domain, Network Identification, > switched from domain member to workgroup member: > > Enter the name and password of an account with permission to remove > this computer from the domain. > > User name: > > Password: > > This is while logged in as a domain admin. It seems to be fairly new > behavior, I can't recall if AD 2000 did this or not. It might be an > XP thing. > > Rich > > -Original Message- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 9:41 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > I've only been prompted for credentials when joining a domain, not > when leaving one. And those are always for the new domain, not the > old. > > -- > Roger D. Seielstad - MTS MCSE MS-M
RE: [ActiveDir] Upgrading computers and computer objects
Further info... after #9 on XP, I removed, rebooted, and then added it back under a different name that happened to already exist. It told me that it already existed, and it added it back with the same name it had before. I'm pretty sure the name that exists is simply for a VM that I rebuilt with RIS without removing the computer account. So perhaps it's checking the computer's SID and if it's the same one, it allows the computer to be added back under the same name. Perhaps resetting the account allows you to add a new SID under that name without deleting and re-adding the computer account in AD? Rich -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 10:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Yeah that's what I usually do. I went through the process with Win2K and WinXP just now. Here is what I found: Win2K - 1) logged on as domain admin, 2) moved to workgroup - silently succeeded 3) did not notice if account was disabled. 4) Rebooted, logged in as local admin, 5) added it back to the domain, same computer name, 6) it asked me for authorized login info to add account, succeeded. 7) Rebooted, logged in as local admin, 8) moved back to workgroup, it told me: This computer was disjoined from the domain "DOMAIN.COM", but the computer account could not be disabled. You should contact your network administrator with this information. 9) Rebooted, joined back to domain with same computer name, no problems. WinXP - 1) logged on as domain admin, 2) moved to workgroup, asked me for authentication, which I gave without specifying domain, 3) checked ADUC and computer account was disabled but not deleted. 4) Rebooted, logged in as local admin, 5) added it back to the domain, same computer name, 6) asked me for authorized login info to add account, succeeded. 7) Rebooted, logged in as local admin, 8) moved back to workgroup, asked me for credentials, succeeded. 9) Rebooted, joined back to domain with same computer name, no problems. It seems that the only difference is that Win2K does not ask for credentials and either silently succeeds or it fails to disable the account. XP asks for credentials. What's the point in disabling the account? Not sure. What does a reset gain you? Not sure there either, because I never once deleted the computer name or reset it before adding the computer back to the domain with the same name. Granted, the computer NIC and IP and etc was the same so maybe it checks that before allowing you to add back with an existing name. But NT4 didn't allow that, you had to delete the account first (and sync with the PDC!) Rich -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 10:05 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Upgrading computers and computer objects Wow. Never saw that before. I'll have to play with my crashbox a bit later. Maybe its just because I usually rebuild the box then worry about the domain account later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rich Milburn [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 11:02 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > Just tried it, XP SP1 on a 2003 domain, Network > Identification, switched > from domain member to workgroup member: > > Enter the name and password of an account with permission to > remove this > computer from the domain. > > User name: > > Password: > > This is while logged in as a domain admin. It seems to be fairly new > behavior, I can't recall if AD 2000 did this or not. It > might be an XP > thing. > > Rich > > -Original Message- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 9:41 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > I've only been prompted for credentials when joining a > domain, not when > leaving one. And those are always for the new domain, not the old. > > -- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -Original Message- > > From: Rich Milburn [mailto:[EMAIL PROTECTED] > > Sent: Monday, December 29, 2003 10:38 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > > > > You know... it's one of those things I rarely bother to do > > because
RE: [ActiveDir] Upgrading computers and computer objects
Yeah that's what I usually do. I went through the process with Win2K and WinXP just now. Here is what I found: Win2K - 1) logged on as domain admin, 2) moved to workgroup - silently succeeded 3) did not notice if account was disabled. 4) Rebooted, logged in as local admin, 5) added it back to the domain, same computer name, 6) it asked me for authorized login info to add account, succeeded. 7) Rebooted, logged in as local admin, 8) moved back to workgroup, it told me: This computer was disjoined from the domain "DOMAIN.COM", but the computer account could not be disabled. You should contact your network administrator with this information. 9) Rebooted, joined back to domain with same computer name, no problems. WinXP - 1) logged on as domain admin, 2) moved to workgroup, asked me for authentication, which I gave without specifying domain, 3) checked ADUC and computer account was disabled but not deleted. 4) Rebooted, logged in as local admin, 5) added it back to the domain, same computer name, 6) asked me for authorized login info to add account, succeeded. 7) Rebooted, logged in as local admin, 8) moved back to workgroup, asked me for credentials, succeeded. 9) Rebooted, joined back to domain with same computer name, no problems. It seems that the only difference is that Win2K does not ask for credentials and either silently succeeds or it fails to disable the account. XP asks for credentials. What's the point in disabling the account? Not sure. What does a reset gain you? Not sure there either, because I never once deleted the computer name or reset it before adding the computer back to the domain with the same name. Granted, the computer NIC and IP and etc was the same so maybe it checks that before allowing you to add back with an existing name. But NT4 didn't allow that, you had to delete the account first (and sync with the PDC!) Rich -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 10:05 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Upgrading computers and computer objects Wow. Never saw that before. I'll have to play with my crashbox a bit later. Maybe its just because I usually rebuild the box then worry about the domain account later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rich Milburn [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 11:02 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > Just tried it, XP SP1 on a 2003 domain, Network > Identification, switched > from domain member to workgroup member: > > Enter the name and password of an account with permission to > remove this > computer from the domain. > > User name: > > Password: > > This is while logged in as a domain admin. It seems to be fairly new > behavior, I can't recall if AD 2000 did this or not. It > might be an XP > thing. > > Rich > > -Original Message- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 9:41 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > I've only been prompted for credentials when joining a > domain, not when > leaving one. And those are always for the new domain, not the old. > > -- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -Original Message- > > From: Rich Milburn [mailto:[EMAIL PROTECTED] > > Sent: Monday, December 29, 2003 10:38 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > > > > You know... it's one of those things I rarely bother to do > > because I do #2 > > below, and the couple of times I have done it, I've never > > checked to see if > > the account was gone. Seems like you _should_ need domain > > privs to remove a > > computer from the domain, and it _should_ delete the computer > > account... now > > that you mention it I have "removed" computers from the > > domain without being > > able to contact the DC. What's the point of asking for an > > account that can > > remove it from the domain, if you have to be an admin to get > > that far in the > > first place? (though I've never tried switching to workgroup > > as a non-admin > > account so maybe it will let you try to remove the computer > > from the domain > > as a regular user a
RE: [ActiveDir] Upgrading computers and computer objects
As Rick says option two would be the best way to go forward to it. The new computers wouldn't have the corresponding SID of the computer that they are replacing. Deleting the existing computer accounts will delete the old SIDs, and by joining up the new machines with correct naming convension that you are looking for will add the new SIDs to the database. In option one, removing the machine from the domain should, I could be wrong, do the same as deleting the accounts from ADUC. So option two should save you time and effort on the install as well as hassle in the future. Hope this helps Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: 28 December 2003 19:32 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Irwan, I would concur that option two is the most successful method, from my experience. For all intents and purposes, the Computer object is a derivative of the User object and has a SID associated with it. Simply naming a computer the same as an existing object will not yield the desired result, and will often cause unpredicatble results. I might not be reading the options correctly, but I see option one and three as the same. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi Sent: Sunday, December 28, 2003 7:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Upgrading computers and computer objects I'm curious what is the best practice or recommended way for the following case: I have several computers that are joined to the domain, and I'm going to upgrade some of thse computers with a different computer (newer), though the UNC name of these computers will remain the same. Should I: 1. Remove the old computers from the domain, install the new computers, and join them to the domain? 2. Since there are several computers, can I just delete the corresponding computer objects in the ADUC, install the new computers, and join them to the domain? 3. Just put the new computers in place, and join them with the same name? So far, I'm doing the second way, because I think it is the cleanest way. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Kind regards, David Houston Computer Consultant Mob.: (+353) 087 6810844 E-mail: [EMAIL PROTECTED] Dame Copmuters Ruwenzori Delgany, Wicklow Tel. : 01-2873159 Fax : 01-2874521 E-mail: [EMAIL PROTECTED] _ This document may include proprietary and confidential information of Dame Computers. and may only be read by those person or persons to whom it is addressed. If you have received this E-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified, or furnished to third parties, without the prior written consent. Outlook tools! : Outlook tools and add-ons ... <http://www.outlookforms.nl/portal.htm> _ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Upgrading computers and computer objects
Wow. Never saw that before. I'll have to play with my crashbox a bit later. Maybe its just because I usually rebuild the box then worry about the domain account later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rich Milburn [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 11:02 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > Just tried it, XP SP1 on a 2003 domain, Network > Identification, switched > from domain member to workgroup member: > > Enter the name and password of an account with permission to > remove this > computer from the domain. > > User name: > > Password: > > This is while logged in as a domain admin. It seems to be fairly new > behavior, I can't recall if AD 2000 did this or not. It > might be an XP > thing. > > Rich > > -Original Message- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 9:41 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > I've only been prompted for credentials when joining a > domain, not when > leaving one. And those are always for the new domain, not the old. > > -- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -Original Message- > > From: Rich Milburn [mailto:[EMAIL PROTECTED] > > Sent: Monday, December 29, 2003 10:38 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > > > > You know... it's one of those things I rarely bother to do > > because I do #2 > > below, and the couple of times I have done it, I've never > > checked to see if > > the account was gone. Seems like you _should_ need domain > > privs to remove a > > computer from the domain, and it _should_ delete the computer > > account... now > > that you mention it I have "removed" computers from the > > domain without being > > able to contact the DC. What's the point of asking for an > > account that can > > remove it from the domain, if you have to be an admin to get > > that far in the > > first place? (though I've never tried switching to workgroup > > as a non-admin > > account so maybe it will let you try to remove the computer > > from the domain > > as a regular user and just ask for an admin account?) > > > > -Original Message- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > Sent: Monday, December 29, 2003 8:58 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > > Actually, removing a computer from the domain on the client > side (i.e. > > changing its domain membership to a workgroup) does NOT > > remove the machine > > account from AD (nor did it remove the account in NT4 > > domains). No domain > > rights are required to remove a machine from the domain - you > > can prove this > > by using the local admin account of a machine to remove it > > from the domain. > > Local admin has no domain rights, yet you can remove the > > machine from the > > domain. > > > > The only action I know of which will remove the computer account > > automatically is running DCPromo to remove a DC. > > > > -- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -Original Message- > > > From: Rich Milburn [mailto:[EMAIL PROTECTED] > > > Sent: Monday, December 29, 2003 9:32 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > > > > > > > Irwan forgive me if I read you wrong... > > > > > > I think what he's asking is about leaving the computer > > > accounts in AD or > > > deleting them. When you remove the computer from the domain > > > (like join it > > > to a workgroup) it removes the computer account from the > > > domain. Or you can > > > turn the computer off and delete the account forcefully with > > > ADUC or dsrm or > > > whatever. Or you can reset the account - something I've
RE: [ActiveDir] Upgrading computers and computer objects
Just tried it, XP SP1 on a 2003 domain, Network Identification, switched from domain member to workgroup member: Enter the name and password of an account with permission to remove this computer from the domain. User name: Password: This is while logged in as a domain admin. It seems to be fairly new behavior, I can't recall if AD 2000 did this or not. It might be an XP thing. Rich -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 9:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Upgrading computers and computer objects I've only been prompted for credentials when joining a domain, not when leaving one. And those are always for the new domain, not the old. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rich Milburn [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 10:38 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > You know... it's one of those things I rarely bother to do > because I do #2 > below, and the couple of times I have done it, I've never > checked to see if > the account was gone. Seems like you _should_ need domain > privs to remove a > computer from the domain, and it _should_ delete the computer > account... now > that you mention it I have "removed" computers from the > domain without being > able to contact the DC. What's the point of asking for an > account that can > remove it from the domain, if you have to be an admin to get > that far in the > first place? (though I've never tried switching to workgroup > as a non-admin > account so maybe it will let you try to remove the computer > from the domain > as a regular user and just ask for an admin account?) > > -Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 8:58 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > Actually, removing a computer from the domain on the client side (i.e. > changing its domain membership to a workgroup) does NOT > remove the machine > account from AD (nor did it remove the account in NT4 > domains). No domain > rights are required to remove a machine from the domain - you > can prove this > by using the local admin account of a machine to remove it > from the domain. > Local admin has no domain rights, yet you can remove the > machine from the > domain. > > The only action I know of which will remove the computer account > automatically is running DCPromo to remove a DC. > > -- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -Original Message- > > From: Rich Milburn [mailto:[EMAIL PROTECTED] > > Sent: Monday, December 29, 2003 9:32 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > > > > Irwan forgive me if I read you wrong... > > > > I think what he's asking is about leaving the computer > > accounts in AD or > > deleting them. When you remove the computer from the domain > > (like join it > > to a workgroup) it removes the computer account from the > > domain. Or you can > > turn the computer off and delete the account forcefully with > > ADUC or dsrm or > > whatever. Or you can reset the account - something I've > rarely used, > > because I didn't know what the difference was from deleting > > the account and > > adding the new computer with the same name. > > > > Rich > > > > -Original Message- > > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > > Sent: Sunday, December 28, 2003 1:32 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > > Irwan, > > > > I would concur that option two is the most successful > method, from my > > experience. For all intents and purposes, the Computer object is a > > derivative of the User object and has a SID associated with > > it. Simply > > naming a computer the same as an existing object will not > > yield the desired > > result, and will often cause unpredicatble results. > > > > I might not be reading the options correctly, but I see > > option one and three > > as the same. > > > > Rick Kingslan MCSE, MCSA, MCT
RE: [ActiveDir] Upgrading computers and computer objects
I've only been prompted for credentials when joining a domain, not when leaving one. And those are always for the new domain, not the old. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rich Milburn [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 10:38 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > You know... it's one of those things I rarely bother to do > because I do #2 > below, and the couple of times I have done it, I've never > checked to see if > the account was gone. Seems like you _should_ need domain > privs to remove a > computer from the domain, and it _should_ delete the computer > account... now > that you mention it I have "removed" computers from the > domain without being > able to contact the DC. What's the point of asking for an > account that can > remove it from the domain, if you have to be an admin to get > that far in the > first place? (though I've never tried switching to workgroup > as a non-admin > account so maybe it will let you try to remove the computer > from the domain > as a regular user and just ask for an admin account?) > > -Original Message- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 8:58 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > Actually, removing a computer from the domain on the client side (i.e. > changing its domain membership to a workgroup) does NOT > remove the machine > account from AD (nor did it remove the account in NT4 > domains). No domain > rights are required to remove a machine from the domain - you > can prove this > by using the local admin account of a machine to remove it > from the domain. > Local admin has no domain rights, yet you can remove the > machine from the > domain. > > The only action I know of which will remove the computer account > automatically is running DCPromo to remove a DC. > > -- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -Original Message- > > From: Rich Milburn [mailto:[EMAIL PROTECTED] > > Sent: Monday, December 29, 2003 9:32 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > > > > Irwan forgive me if I read you wrong... > > > > I think what he's asking is about leaving the computer > > accounts in AD or > > deleting them. When you remove the computer from the domain > > (like join it > > to a workgroup) it removes the computer account from the > > domain. Or you can > > turn the computer off and delete the account forcefully with > > ADUC or dsrm or > > whatever. Or you can reset the account - something I've > rarely used, > > because I didn't know what the difference was from deleting > > the account and > > adding the new computer with the same name. > > > > Rich > > > > -Original Message- > > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > > Sent: Sunday, December 28, 2003 1:32 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > > Irwan, > > > > I would concur that option two is the most successful > method, from my > > experience. For all intents and purposes, the Computer object is a > > derivative of the User object and has a SID associated with > > it. Simply > > naming a computer the same as an existing object will not > > yield the desired > > result, and will often cause unpredicatble results. > > > > I might not be reading the options correctly, but I see > > option one and three > > as the same. > > > > Rick Kingslan MCSE, MCSA, MCT > > Microsoft MVP - Active Directory > > Associate Expert > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > WebLog - www.msmvps.com/willhack4food > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi > > Sent: Sunday, December 28, 2003 7:29 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Upgrading computers and computer objects > > > > I'm curious what is the best practice or recommended way for > > the following > >
RE: [ActiveDir] Upgrading computers and computer objects
You know... it's one of those things I rarely bother to do because I do #2 below, and the couple of times I have done it, I've never checked to see if the account was gone. Seems like you _should_ need domain privs to remove a computer from the domain, and it _should_ delete the computer account... now that you mention it I have "removed" computers from the domain without being able to contact the DC. What's the point of asking for an account that can remove it from the domain, if you have to be an admin to get that far in the first place? (though I've never tried switching to workgroup as a non-admin account so maybe it will let you try to remove the computer from the domain as a regular user and just ask for an admin account?) -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 8:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Upgrading computers and computer objects Actually, removing a computer from the domain on the client side (i.e. changing its domain membership to a workgroup) does NOT remove the machine account from AD (nor did it remove the account in NT4 domains). No domain rights are required to remove a machine from the domain - you can prove this by using the local admin account of a machine to remove it from the domain. Local admin has no domain rights, yet you can remove the machine from the domain. The only action I know of which will remove the computer account automatically is running DCPromo to remove a DC. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rich Milburn [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 9:32 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > Irwan forgive me if I read you wrong... > > I think what he's asking is about leaving the computer > accounts in AD or > deleting them. When you remove the computer from the domain > (like join it > to a workgroup) it removes the computer account from the > domain. Or you can > turn the computer off and delete the account forcefully with > ADUC or dsrm or > whatever. Or you can reset the account - something I've rarely used, > because I didn't know what the difference was from deleting > the account and > adding the new computer with the same name. > > Rich > > -Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Sunday, December 28, 2003 1:32 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > Irwan, > > I would concur that option two is the most successful method, from my > experience. For all intents and purposes, the Computer object is a > derivative of the User object and has a SID associated with > it. Simply > naming a computer the same as an existing object will not > yield the desired > result, and will often cause unpredicatble results. > > I might not be reading the options correctly, but I see > option one and three > as the same. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > WebLog - www.msmvps.com/willhack4food > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi > Sent: Sunday, December 28, 2003 7:29 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Upgrading computers and computer objects > > I'm curious what is the best practice or recommended way for > the following > case: > I have several computers that are joined to the domain, and > I'm going to > upgrade some of thse computers with a different computer > (newer), though the > UNC name of these computers will remain the same. > Should I: > 1. Remove the old computers from the domain, install the new > computers, and > join them to the domain? > 2. Since there are several computers, can I just delete the > corresponding > computer objects in the ADUC, install the new computers, and > join them to > the domain? > 3. Just put the new computers in place, and join them with > the same name? > > So far, I'm doing the second way, because I think it is the > cleanest way. > > Thanks > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > L
RE: [ActiveDir] Upgrading computers and computer objects
Actually, removing a computer from the domain on the client side (i.e. changing its domain membership to a workgroup) does NOT remove the machine account from AD (nor did it remove the account in NT4 domains). No domain rights are required to remove a machine from the domain - you can prove this by using the local admin account of a machine to remove it from the domain. Local admin has no domain rights, yet you can remove the machine from the domain. The only action I know of which will remove the computer account automatically is running DCPromo to remove a DC. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rich Milburn [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 9:32 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > > Irwan forgive me if I read you wrong... > > I think what he's asking is about leaving the computer > accounts in AD or > deleting them. When you remove the computer from the domain > (like join it > to a workgroup) it removes the computer account from the > domain. Or you can > turn the computer off and delete the account forcefully with > ADUC or dsrm or > whatever. Or you can reset the account - something I've rarely used, > because I didn't know what the difference was from deleting > the account and > adding the new computer with the same name. > > Rich > > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Sunday, December 28, 2003 1:32 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Upgrading computers and computer objects > > Irwan, > > I would concur that option two is the most successful method, from my > experience. For all intents and purposes, the Computer object is a > derivative of the User object and has a SID associated with > it. Simply > naming a computer the same as an existing object will not > yield the desired > result, and will often cause unpredicatble results. > > I might not be reading the options correctly, but I see > option one and three > as the same. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > WebLog - www.msmvps.com/willhack4food > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi > Sent: Sunday, December 28, 2003 7:29 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Upgrading computers and computer objects > > I'm curious what is the best practice or recommended way for > the following > case: > I have several computers that are joined to the domain, and > I'm going to > upgrade some of thse computers with a different computer > (newer), though the > UNC name of these computers will remain the same. > Should I: > 1. Remove the old computers from the domain, install the new > computers, and > join them to the domain? > 2. Since there are several computers, can I just delete the > corresponding > computer objects in the ADUC, install the new computers, and > join them to > the domain? > 3. Just put the new computers in place, and join them with > the same name? > > So far, I'm doing the second way, because I think it is the > cleanest way. > > Thanks > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > ---APPLEBEE'S INTERNATIONAL, INC. > CONFIDENTIALITY NOTICE--- > PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in > this message or > any attachments. This information is strictly confidential and may be > subject to attorney-client privilege. This message is > intended only for the > use of the named addressee. If you are not the intended > recipient of this > message, unauthorized forwarding, printing, copying, > distribution, or using > such information is strictly prohibited and may be unlawful. > If you have > received this in error, you should kindly notify the sender > by reply e-mail > and immediately destroy this message. Unauthorized > interception of this > e-mail is a violation of federal criminal law. Applebee's > International, > Inc. reserves the right to monitor and review
RE: [ActiveDir] Upgrading computers and computer objects
Irwan forgive me if I read you wrong... I think what he's asking is about leaving the computer accounts in AD or deleting them. When you remove the computer from the domain (like join it to a workgroup) it removes the computer account from the domain. Or you can turn the computer off and delete the account forcefully with ADUC or dsrm or whatever. Or you can reset the account - something I've rarely used, because I didn't know what the difference was from deleting the account and adding the new computer with the same name. Rich -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Sunday, December 28, 2003 1:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Irwan, I would concur that option two is the most successful method, from my experience. For all intents and purposes, the Computer object is a derivative of the User object and has a SID associated with it. Simply naming a computer the same as an existing object will not yield the desired result, and will often cause unpredicatble results. I might not be reading the options correctly, but I see option one and three as the same. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi Sent: Sunday, December 28, 2003 7:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Upgrading computers and computer objects I'm curious what is the best practice or recommended way for the following case: I have several computers that are joined to the domain, and I'm going to upgrade some of thse computers with a different computer (newer), though the UNC name of these computers will remain the same. Should I: 1. Remove the old computers from the domain, install the new computers, and join them to the domain? 2. Since there are several computers, can I just delete the corresponding computer objects in the ADUC, install the new computers, and join them to the domain? 3. Just put the new computers in place, and join them with the same name? So far, I'm doing the second way, because I think it is the cleanest way. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Upgrading computers and computer objects
Irwan, I would concur that option two is the most successful method, from my experience. For all intents and purposes, the Computer object is a derivative of the User object and has a SID associated with it. Simply naming a computer the same as an existing object will not yield the desired result, and will often cause unpredicatble results. I might not be reading the options correctly, but I see option one and three as the same. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi Sent: Sunday, December 28, 2003 7:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Upgrading computers and computer objects I'm curious what is the best practice or recommended way for the following case: I have several computers that are joined to the domain, and I'm going to upgrade some of thse computers with a different computer (newer), though the UNC name of these computers will remain the same. Should I: 1. Remove the old computers from the domain, install the new computers, and join them to the domain? 2. Since there are several computers, can I just delete the corresponding computer objects in the ADUC, install the new computers, and join them to the domain? 3. Just put the new computers in place, and join them with the same name? So far, I'm doing the second way, because I think it is the cleanest way. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
