Previous
Next
Fixed font
Subject: Re: Dear Customer,Thank you for posting in newsgroup.
Author: Holly Gage Date: 03 Jan 2011
References:
Author: Holly Gage Date: 03 Jan 2011
References:
What if I have a user account that has permissions to join machines to the domain and I have technical support people out in the field imaging and joining workstations to the domain. They are using a script with this particular account and password embedded in the script to do this work. So in fact, they don't actually have permissions to join workstations to the domain except via this script. They cause themselves problems when they join multiple workstations to the domain with the same name (last one joined wins) however, the thought occurred to me that there might be potential to join a workstation to the domain that has the same name as one of my servers. Now that would really be a problem. How do I prevent this?
Maybe I have prevented this as the account is limited to only having permissions in the workstation OU and my servers are located elsewhere. Is there any chance the folks out in the field can cause me problems with my servers if they join a workstation to a different OU with the same name?
Maybe I have prevented this as the account is limited to only having permissions in the workstation OU and my servers are located elsewhere. Is there any chance the folks out in the field can cause me problems with my servers if they join a workstation to a different OU with the same name?
> On Monday, April 28, 2008 6:19 PM mcro wrote:
> I have a W2K3 domain. I have an XP computer named JMS03 that is a member of
> the domain. If I (accidentally) join another computer named JMS03 to the
> domain, I am unable to log on to the domain from the original XP computer. I
> think this is because the secure channel cannot be established between the
> original computer and the DCs.
> Is the original computer account being "overwritten" with the new computer
> account?
> Is there any warning or error message that a computer account with that name
> already exists when I join the second computer to the domain? Seems like in
> the old NT4 days, I would get an error message.
> the domain. If I (accidentally) join another computer named JMS03 to the
> domain, I am unable to log on to the domain from the original XP computer. I
> think this is because the secure channel cannot be established between the
> original computer and the DCs.
> Is the original computer account being "overwritten" with the new computer
> account?
> Is there any warning or error message that a computer account with that name
> already exists when I join the second computer to the domain? Seems like in
> the old NT4 days, I would get an error message.
>> On Monday, April 28, 2008 7:32 PM Al Mulnick wrote:
>> You don't get a warning message because you have the rights to overwrite it.
>> The system is not designed to protect you from yourself and assumes you
>> intended to overwrite the existing computer account. An example of a time
>> you would do that is when you re-image a machine and re-use the same name -
>> that's a valid scenario to do that. In your case, it would be nice if you
>> got a warning from name resolution that you were about to do something
>> silly, but that's not going to work in all paths either.
>>
>> You might consider changing your process so that you pre-create all
>> accounts. That will afford you the checks and balances to prevent you from
>> overwriting the existing accounts.
>>
>> al
>>
>>
>> "mcRon" <mcron@news.postalias> wrote in message
>> news:ECFD424B-8DFA-43F0-BD06-66AFCD9E98FD@microsoft.com...
>> The system is not designed to protect you from yourself and assumes you
>> intended to overwrite the existing computer account. An example of a time
>> you would do that is when you re-image a machine and re-use the same name -
>> that's a valid scenario to do that. In your case, it would be nice if you
>> got a warning from name resolution that you were about to do something
>> silly, but that's not going to work in all paths either.
>>
>> You might consider changing your process so that you pre-create all
>> accounts. That will afford you the checks and balances to prevent you from
>> overwriting the existing accounts.
>>
>> al
>>
>>
>> "mcRon" <mcron@news.postalias> wrote in message
>> news:ECFD424B-8DFA-43F0-BD06-66AFCD9E98FD@microsoft.com...
>>> On Tuesday, April 29, 2008 6:00 AM v-dashe wrote:
>>> Dear Customer,
>>>
>>> Thank you for posting in newsgroup. And thanks to the member for the
>>> contribution.
>>>
>>> Based on the experience, here is some information which may be helpful for
>>> you.
>>>
>>> Analysis and Suggestion:
>>> ======================
>>>
>>> 1. Is the original computer account being "overwritten" with the new
>>> computer account?
>>>
>>> Yes, when you join another computer named JMS03 to the domain with the
>>> administrator credential, the system allowed you to replace the old domain
>>> computer account with the new one even though they have the same name. By
>>> default ,the domain admin has the rights to change the Active Directory
>>> database. The Active Directory will establish the new security channel
>>> between the new computer and the domain controller. In other words, the old
>>> security channel between the old computer and the domain controller is
>>> replaced with the new. To avoid this kind of situation, I would like to
>>> suggest that you change the computer name before you add it to the domain
>>> to avoid the duplicated computer name in the current domain. However, if
>>> you join the computer named JMS03 to the domain with an ordinary domain
>>> user's credential, the system will popup the error message with "Access
>>> Denied" since the domain user doesn't have the right to change the data in
>>> the Active Directory database.
>>>
>>> 2. Is there any warning or error message that a computer account with that
>>> name already exists when I join the second computer to the domain?
>>>
>>> If you did this with domain admin's credential, the system won't popup the
>>> error message to alert us. If you did this with an ordinary domain user's
>>> credential, the system will popup error message with "Access Denied" since
>>> we have no rights to change the domain database.
>>>
>>> For the detailed error message about joining the computer to the domain,
>>> you may find the NetSetup.log in the folder of %systemroot%\Debug on the
>>> problematic computer.
>>>
>>> For more Reference:
>>> =================
>>>
>>> Error Message "Access Denied" When You Join a Computer to a Domain
>>> http://support.microsoft.com/kb/330095
>>>
>>> A computer cannot join a domain after you upgrade to Windows Server 2003
>>> Service Pack 1
>>> http://support.microsoft.com/kb/925632
>>>
>>> Hope it helps.
>>>
>>> Thanks for your time.
>>>
>>> David Shen
>>> Microsoft Online Partner Support
>>>
>>> Thank you for posting in newsgroup. And thanks to the member for the
>>> contribution.
>>>
>>> Based on the experience, here is some information which may be helpful for
>>> you.
>>>
>>> Analysis and Suggestion:
>>> ======================
>>>
>>> 1. Is the original computer account being "overwritten" with the new
>>> computer account?
>>>
>>> Yes, when you join another computer named JMS03 to the domain with the
>>> administrator credential, the system allowed you to replace the old domain
>>> computer account with the new one even though they have the same name. By
>>> default ,the domain admin has the rights to change the Active Directory
>>> database. The Active Directory will establish the new security channel
>>> between the new computer and the domain controller. In other words, the old
>>> security channel between the old computer and the domain controller is
>>> replaced with the new. To avoid this kind of situation, I would like to
>>> suggest that you change the computer name before you add it to the domain
>>> to avoid the duplicated computer name in the current domain. However, if
>>> you join the computer named JMS03 to the domain with an ordinary domain
>>> user's credential, the system will popup the error message with "Access
>>> Denied" since the domain user doesn't have the right to change the data in
>>> the Active Directory database.
>>>
>>> 2. Is there any warning or error message that a computer account with that
>>> name already exists when I join the second computer to the domain?
>>>
>>> If you did this with domain admin's credential, the system won't popup the
>>> error message to alert us. If you did this with an ordinary domain user's
>>> credential, the system will popup error message with "Access Denied" since
>>> we have no rights to change the domain database.
>>>
>>> For the detailed error message about joining the computer to the domain,
>>> you may find the NetSetup.log in the folder of %systemroot%\Debug on the
>>> problematic computer.
>>>
>>> For more Reference:
>>> =================
>>>
>>> Error Message "Access Denied" When You Join a Computer to a Domain
>>> http://support.microsoft.com/kb/330095
>>>
>>> A computer cannot join a domain after you upgrade to Windows Server 2003
>>> Service Pack 1
>>> http://support.microsoft.com/kb/925632
>>>
>>> Hope it helps.
>>>
>>> Thanks for your time.
>>>
>>> David Shen
>>> Microsoft Online Partner Support
>>>> On Tuesday, April 29, 2008 8:44 AM mcro wrote:
>>>> Al, thanks for your reply.
>>>>
>>>> McR
>>>>
>>>> "Al Mulnick" wrote:
>>>>
>>>> McR
>>>>
>>>> "Al Mulnick" wrote:
>>>>> On Tuesday, April 29, 2008 8:44 AM mcro wrote:
>>>>> Thanks!
>>>>>
>>>>> McR
>>>>>
>>>>> "David Shen [MSFT]" wrote:
>>>>>
>>>>> McR
>>>>>
>>>>> "David Shen [MSFT]" wrote:
>>>>>> On Tuesday, April 29, 2008 10:05 PM v-dashe wrote:
>>>>>> Dear Customer,
>>>>>>
>>>>>> Thanks for your reply. I am glad that the information is helpful for you.
>>>>>> If you have any question, please welcome to our newsgroup again.
>>>>>>
>>>>>> David Shen
>>>>>> Microsoft Online Partner Support
>>>>>>
>>>>>> Thanks for your reply. I am glad that the information is helpful for you.
>>>>>> If you have any question, please welcome to our newsgroup again.
>>>>>>
>>>>>> David Shen
>>>>>> Microsoft Online Partner Support
>>>>>> Submitted via EggHeadCafe
>>>>>> Microsoft ASP.NET For Beginners
>>>>>> http://www.eggheadcafe.com/training-topic-area/ASP-NET/7/ASP.aspx
>>>>>> Microsoft ASP.NET For Beginners
>>>>>> http://www.eggheadcafe.com/training-topic-area/ASP-NET/7/ASP.aspx
Previous
Next