Active Directory : Tech-Pages
Adding a Workstation into Active Directory

Author Mark N. Goedert
mgoedert@uic.edu

Introduction

This page will guide you through the process of adding a workstation into the UIC Active directory.

Table of Contents

• Prerequisites
• Pre-create workstation in the AD Management Console
• Verify workstation settings, antivirus and patch levels
• Add the workstation to the UIC-AD
• Test your UIC-AD login with your NetID and password
• Secure and grant rights to UIC-AD domain accounts

Prerequisites

You need to be a "OU" administrator for your department. You need these rights to create and manage computer objects in the UIC-AD. If you are not the "OU" admin contact your REACH person and they will be able to help you.

You will also need the "Active Directory Users and Computers" MMC to view computers in the UIC-AD. You can find additional information regarding AD management tools linked here.

The minimum platform requirements for using the UIC-AD are Windows 2000 Professional and Windows XP professional both with the latest service packs.

Older operating systems and Windows XP Home are not supported in the UIC-AD.

A Local Administrator account on the machine you are bringing into your domain. This account must be different than the account used by the daily users.

Summary of "Must Haves"

• "OU" departmental administrator rights in the UIC-AD.
• Downloaded and installed the "AD Users and Computers" MMC on a PC.
• Win2k Pro. or WinXP Pro. Operating System
• Local Administrator rights to the workstation you are adding to the domain.

If you have the above prerequisites you can continue to add a PC to the UIC-AD domain.

Adding a Workstation into the UIC-AD

Step 1. - Precreate a computer object in your department OU using the Active Directory Users and Computers Management Console (MMC).

Use the "Active Directory Users and Computers" MMC to create a computer object under your department OU. You can find additional information regarding AD management tools linked here.

Naming Standards - It is recommended that you use a standard naming convention for your department. Why? Standard names will make it easier for you to search the AD tree for your computers, they will also be easier to find in lists sorted alphabetically. We recommend you include a short department abbreviation at the beginning of your computer names. For example my computer is in the ACCC organizational unit "CC", so my computer name is; "CC-MGoedert" or it could be UIC-CC-MGoedert if it is a server. There is a 14 character limitation so you do not want your computer names to be too long.

If you need to change your workstation name, do this now, before adding your machine to the UIC-AD. The name change is done on your local computer and will require you to reboot your system.

Once you have settled on your new, standard computer name you can proceed with adding your workstation to the UIC-AD.

To create the computer account;

• Navigate to your department OU
• Right click in the right pane select "New" and "Computer"

(click for larger image)

Follow the steps through the creation process, type in the computer name and click "Next".

(click for larger image)

Accept the default values below (not managed) and click "Next".

(click for larger image)

Click on "Finish" to create the computer object in the UIC-AD.

(click for larger image)

Step 2. - Verify workstation settings, antivirus, and patch level.

You must have the latest system patches installed on your machine before migrating into the UIC-AD. Your critical updates should also be setup to check for and install patches nightly. This helps prevent security outbreaks from spreading across the campus.

You also should have the latest antivirus client installed and check for and install antivirus updates nightly and perform a system scan. This helps prevent virus outbreaks from spreading across the campus.

You should be able to "ping" each of the domain controllers by IP as well as the following host names. You can also use "nslookup" to test and see if the IP addresses resolve to the names below.

• uic-cc-dc1.ad.uic.edu -> 131.193.68.141 -> DC (East Campus)
• uic-cc-dc2.ad.uic.edu -> 131.193.68.142 -> DC (West Campus)
• uic-cc-dc3.ad.uic.edu -> 131.193.68.142 -> DC (East Campus)

Step 3. - Add the local computer into the UIC-AD domain.

This is done from the client workstation. You are effectively removing the workstation from "workgroup" mode and placing it into a domain.

Start off by going to the workstation you need to add and right click "My Computer". Select "Properties" and locate the "Computer Name" tab.

(click for larger image)

Locate and click the "Change" button. The following screen will appear.

(click for larger image)

The “Computer Name” must match the name of the computer account in Active Directory Users and Computers. The “Member of” domain should be set to; ad.uic.edu.

When complete click the "OK" button, you will be prompted for your NetID and password, enter it in the following format;

• Domain Account: "ad\NetID"
• Password: "ACCC CommonPwd"

After a minute or two you will receive a dialog box stating that "your computer was successfully added to the ad.uic.edu domain". You will have to reboot your computer at this time.

Step 4. - Test your UIC-AD login.

You can now test your domain computer by using your Netid and ACCC common password to login to the workstation. The very first time you login to your workstation a brand new local profile is created. This can take several minutes and will only happen the very first time you login.

Default Rights - Once you are logged in to the workstation you are granted "user" level privileges for the files and resources on the local PC. This will be sufficient for most of your users, you can grant higher privileges like "power user" or "local administrator" to your users if desired.

Raising account privilege level is done on the local workstation by;

• Logging in as a "Local Administrator", right clicking the "My Computer" icon and selecting "Manage" from the drop down menu.
  
• Navigate on the left to the local users and groups branch, click "groups".
  
• On the right you will see a listing of the groups that exist locally on your workstation.
  
• You will want to add the user "AD\<NetID>" to the "Power Users" group or "Administrators" group depending upon how much power you want the client to have over the local machine. You may also want to have your "GG-DEPT Admins" group added to the "Local Administrators" group of the PC you are working on.

You didn't loose your data - Your old files and desktop settings are still on your workstation and if you would like to retrieve them they can be found under the "Documents and Settings" folder in your computer under your old login ID directory.

Step 5. - Secure Administrator rights on the workstation.

To properly secure your workstation in the UIC-AD you need to use your LOCAL Administrator account or place your AD\Domain account in the local Administrators group on the workstation you are securing.

Our goal is to remove "AD\Domain Admins" form your Local Administrators group. Start off by going to the workstation you need to secure and right click the "My Computer" icon on the desktop. Select "Manage" and a console will appear on the screen. On the left, navigate to your local users and groups, click the "groups" branch. You will see a listing of the groups that exist locally on your workstation. Select the "Administrators" group and view the members.

(click for larger image)

Finished - For the final step you can have your client use their NetID and Common Password to login to the workstation.

If you have any questions or corrections to this document please send a email to LAN@uic.edu and the LAN team will answer your request.

Updated 11/06/2006

Copyright © 2009 The Board of Trustees of the University of Illinois