IT Connect

Information technology tools and resources at the UW

Adding a computer to a Delegated OU

What You Need To Know First

Prior to joining your first computer to a delegated OU, you will need to know a couple things.

Know the computer naming guidelines

These guidelines are detailed in the OU Practices document, but in a compact form, the MI computer naming guidelines are:

How can I add a computer account without a computer in the NETID domain?

You might be caught in this dilemma on your first computer. See our advice in the OU Admin Tools and Tips document.

Automated Creation

A PowerShell script is available to pre-create one or more new computer objects. It is available from:
 https://itconnect.uw.edu/wp-content/uploads/2016/05/New-UWWIComputer.zip

Additional information and usage instructions are available from Using New-UWWIComputer.ps1 or via the built-in help system in PowerShell.

Manual Creation

Pre-create a new computer account via Active Directory Users & Computers (ADUC) or your preferred computer account creation tool in the desired OU within your delegated OU. NOTE: By default, only members of u_msinf_<yourOU>_ouadmins or u_msinf_<yourOU>_computerjoiners can create computer accounts in your OU.

If you use ADUC to pre-create the account, you can specify which user accounts are allowed to join a computer with the same NetBios name as the pre-created computer account. We suggest you specify u_msinf_<yourOU>_computermanagers, so that all your computer joiners can join the computer to this computer account. See picture below for this control.

When creating the computer account, please use a name within your computer namespace reservation(s).

 

Join the computer

In general, there is a multi-step process to join using Control Panel → System → Advanced System Settings → Computer Name (or Start → Run → sysdm.cpl):

  1. Join the Domain
    1. Click the “Change” button on the System Properties window
    2. Check the Domain radio-button and enter “netid.washington.edu” into the Domain edit box, click OK
    3. A window pops up asking for an account with permission to join the domain; enter the name and password of an account that is in your u_msinf_<yourOU>_computermanagers group
    4. Click OK on the “welcome to the domain” window; ignore the “Changing the Primary DNS” error if it occurs and click OK
    5. Click OK on the “You must restart” window
    6. Click Close on the System Properties window and reboot
  2. Change the computer’s DNS suffix
    1. After the reboot, reopen System Properties and click the Change button
    2. Click the “More” button
    3. Uncheck ‘Change primary DNS suffix when domain membership changes’
    4. Change primary DNS suffix to a value that is NOT netid.washington.edu (e.g. clients.uw.edu), click OK, OK
    5. Reboot – This is important!
  3. It may take another reboot for group policies to be completely applied

For step #1, use the System control panel or any other viable method (e.g. automated methods) to join the computer to the NETID domain. Upon reboot, your computer will recognize that it is in your delegated OU and apply any applicable group policy. Keep in mind that some computer group policy settings require more than one reboot to take effect. However, the approach of pre-creating the computer account in the OU you want the computer to ultimately be in should result in the appropriate group policy being applied sooner than the traditional method of joining then moving the computer account to the destination OU.

For steps #2, please see https://itconnect.uw.edu/wares/msinf/other-help/faq/ou-guidance/#dnsSuffixConfig for help.

NOTE: Unless you granted u_msinf_<yourOU>_computermanagers per our recommendation above, only the account which created the computer account will be able to do step #1c.

If you don’t pre-create the computer account, upon domain join, you will be subject to the Unclaimed Computers OU Group Policy settings which are not pleasant.

NOTE: There is a bug in Windows 7 such that trying to join the domain and change the DNS suffix in one operation may result in a broken computer (a domain user login failure with the “domain trust relationship” error). For more info see http://support.microsoft.com/kb/2659158. It will join the domain but the DNS suffix will not be updated on the domain computer object and/or the SPNs will not contain the correct DNS suffix. That is why we recommend doing it in two steps. It appears that this bug was fixed in Windows 8.