Share this question

Welcome to Teachnovice Q&A, where you can ask questions and receive answers from other members of the community.

This is a collaboratively edited question and answer site for computer enthusiasts and power users. It's 100% free, no registration required.

What is the point of creating a computer object in Active Directory when you still have to join the PC?

0 like 0 dislike
282 views
What is the point of creating a computer object in Active Directory when you still have to join computers to the domain, which then creates the object anyway?
asked Oct 22, 2014 by Scott Johansen  

4 Answers

0 like 0 dislike
 
Best answer
When you create the account first you can place it in the right OU (and with the right security groups, creds to Evan Anderson) from the start.
answered Oct 22, 2014 by Oskar Duveborn  
...and the right security groups. "Computers are people, too."
0 like 0 dislike
I don't think I have ever created a computer object manually before, so why would you? Is there a reason to specifically create computer objects in an AD structure without joining that computer to the domain?
answered Oct 22, 2014 by Moo  
If you have a group policy structure that requires certain computer accounts to be in certain OUs, you can ensure it isn't misplaced by creating it first. Otherwise, it goes in the default "Servers" OU if created dynamically
It goes into "Computers" by default, unless you change the default. It's a container, not an OU.
0 like 0 dislike
You can pre-create a computer object and assign permission to a non-admin to perform the join.
answered Oct 22, 2014 by ThatGraemeGuy  
0 like 0 dislike
We delegated out the ability to create computer accounts. However, we have delegated it to the appropriate OU for the organization. So given the typical contoso.com that Microsoft uses, imagine that there is an OU for Europe. We want to make sure all the computer objects get created in Europe by the European admins. That ensures all GPOs apply appropriately and it ensures that you don't get this cluttered computers folder at the root. When the US admins come along, they can only create computer accounts in the US OU. Again, GPOs apply properly, etc. It also ensures that a US admin can't take out a Europe computer account. You get the idea.
answered Oct 22, 2014 by K. Brian Kelley  
Perfect example. In general, I think most small organizations (less than 200 - 300 computer objects) won't feel the need to precreate computer objects as long as they have processes in place to move the object later.
Delegation of control and pre-creating computer objects are different things. You want pre-created computer objects. When your "tech monkey" puts the PC on the desk, sets the name, and joins the domain you want the startup scripts and GPOs necessary to prep the machine and install all of the software onto the factory fresh image to "just work". I love those kind of PC deployments, and I'd shoot for it in an organization with 10 PCs (because eventually the computers are going to get replaced).
Actually, they are tied together. If you've got multiple admin groups, and you've deployed a multiple OU model to support them, then you delegate control to create computers in particular OUs (you don't give an admin the ability to create computer accounts everywhere). This ensures the computer accounts stay in the right place. However, that means they have to be pre-created as a result.
...