question

JhonFredy-3502 avatar image
0 Votes"
JhonFredy-3502 asked DSPatrick commented

How can force to create a computer object before add the computer to a domain

Hi Team,

I remember when i was working in a company that before we can join a computer to the domain, the computer object must be create ahead in active directory.

How can Force to create a computer object before join the computer to a domain.

What setting is required to enable in GPO to enforce this.

Thanks..

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick edited

before we can join a computer to the domain, the computer object must be create ahead in active directory.

There is no such requirement. The computer account will be created automatically during domain join process. If you wanted to do so anyway you can use PowerShell
https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-adcomputer?view=windowsserver2019-ps

--please don't forget to upvote and Accept as answer if the reply is helpful--








5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered

By default, an authenticated user without domain admins or delegated permissions can join up to 10 computers in a domain. This value can be changed using the attribute ms-DS-MachineAccountQuota on the domain.

The best option is what DSPatrick suggest


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JhonFredy-3502 avatar image
0 Votes"
JhonFredy-3502 answered

Hi thanks for the responses, but we need to enforce this policy that we mansion above because in sometimes the helpdesk team join computer to the domain without change the default name of a computers, and additionally each time the helpdesk team join a computer to the domain we need to move the object to the correct OU in order to take the GPO policies.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
1 Vote"
DSPatrick answered

You can use PowerShell
https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-adcomputer?view=windowsserver2019-ps

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JhonFredy-3502 avatar image
0 Votes"
JhonFredy-3502 answered DSPatrick commented

thanks for the suggestion, but this is no a solution for me, as mentioned:
I remember when i was working in a company (mid 2013) that before we can join a computer to the domain, the computer object must be create ahead in active directory.

I think that must be an option in GPO - Domain Controller Policy that we can use to enforce this

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I don't believe there is any such standard GPO policy.

--please don't forget to upvote and Accept as answer if the reply is helpful--






0 Votes 0 ·
cthivierge avatar image
0 Votes"
cthivierge answered cthivierge edited

AFAIK, there is no option in Group Policy to create or enforce the creation of a computer account in case it does not exist.

The policy you may think about is the following:
Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment / Add workstations to domain
This policy will define who is able to add computers to the domain. The process of creating the computer account is not a GPO setting.


What you can do is using a PS script like DSPatrick mentioned to create computers objects in the correct OU before the computer will join the domain. This is probably the best option in case you don't want to delegate permission on a specific OU.

hth




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.