XP Workstation setup in an NT domain: Adding PC?

Okay, I've been administering Windows NT Domains for several years now. And all has gone fine so far. But now this newfangled XP gizmo comes along and screws everything up.

Here's the way it used to work:

- When someone sets up a new NT workstation, they need a computer account for the local PC to establish a trust relationship with the domain.

- This computer account can only be created by an administrator (or certain other designated users).

- There are two ways to create this computer account:

1) An administrator walks over to the user's workstation at setup time and enters the admin password to join that workstation to the domain.

2) An administrator, without leaving his chair, can run the Server Manager application and add <<computername>> to the domain, and tell the user what to name the computer. The user is warned that the computer account has to be set up by an administrator, but lets them continue. On the next reboot, the user is properly joined to the domain with the new computername and all is well. The administrator has not had to leave his desk.

My problem. Option number 2 does not exist when setting up an XP workstation. At least, when this guy in our department went to set up XP, it wouldn't let him go past the domain-joining part until it got my name/password in the box. There was no way to just tell it, "look, you stupid OS, I already added the computer account to the domain, just use it."

How the hell do they expect people in my position to deploy XP if we keep having to run to each workstation to set it up? That's just dain-bramaged. Is there an easy work-around?

We're suffering the same XP related hassles at work too... I know this might sound strange but be warned about running XP's defrag on your hard disk... I know sounds strange and it might just be a gateway laptop thing but everyone uses gateway laptops where I work, specifically the 9550's and we've already lost 4 hard disks all users reported they ran defrag and blamo! Now we've had people run defrag and everything goes fine.. just strange that all 4 disks that were returned had been defraged... they were all less than 2 months old as well.

Interesting. Thanks for the tip.

Just from the little bit I've been playing with XP, it seems like an elephant designed by a committee. And with all that work and hype, I think the new user interface is downright ugly.

This is an NT 4 domain? SMB signing on the workstation end is the usual culprit, but that doesn't jive with it working with a Domain Admin account. Is there any sort of error message on the workstation, or a security event on the DC?

I would double-check Q281648 and then make it PSS's problem (assuming that you have a support contract).

Aside: My company switched to Gateway due to a publicized battle we had with Dell. I imagine our Gateway sales rep is about the only person satisfied with the deal. I decided that I'd buy my own damned laptop once my Inspiron was too obsolete.

Yup... thats why I always switch to the classic menus style first thing... It's like AOL OS!

I actually like the Gateway laptops... even though they break we always get a new one within a day crosshipped so customer service is excellent (then again we order 30 or 40 a month so I'm sure there's an ass kiss factor working in our favor). Worked with Dell too, the higher end Dells rock, but I'm unimpressed with the lower lines (inspiron? don't know), that just goes for laptops, all our field workstations used on contracts are GX1's even though their old (government standard) their solid, so I can't speak highly enough of the dell workstations.

This is an NT 4 domain? SMB signing on the workstation end is the usual culprit, but that doesn't jive with it working with a Domain Admin account. Is there any sort of error message on the workstation, or a security event on the DC?

Yes, it's an NT4 domain, but you don't understand. This is not an error. There is nothing wrong at all. It's simply the lack of a feature.

If I want to add an NT4 workstation to the domain, I can do it from my desk, and I can do it at any time. If I want to add an XP workstation to the domain, I have to get up and walk to the workstation, and only at a specific moment during setup.

... It's like AOL OS!

OMG, that is the perfect description, it totally sums up the way I feel about the XP user interface. I think I'm going to use that from now on. Thanks.

I do like the media support... however many things I hate about XP... one, ever try to encode an mp3 in XP? You'll find if your not logged on as you or move that file to another pc you get a wonderful little message "you do not have sufficient rights to access this file" not that it matters, I'm sure we all here rely on other means to get our mp3's but I personally find that invasive. Secondly back to the AOL OS... I don't need microsoft holding my hand every step of the way, you should be given options during setup "Idiot mode" or "Normal PC user", then we get into that whole active registration thing... "No microsoft, I don't want to send you all my information via the web". All this crap about piracy yet if ya really want it, you can log onto morpheus and grab a copy of the corporate version without active registration....

I use XP on my laptop at work (it came with it).... I use 2k at home, but I know several people using pirated versions of corporate without any problems. (Had to throw that in there to cover my ass)

Yes, it's an NT4 domain, but you don't understand. This is not an error. There is nothing wrong at all. It's simply the lack of a feature.

I understand completely. Knowing that you're having the problem during setup is helpful. Would you like a tested work-around, or do you only want to complain that XP sucks?

Heh, I was hoping for both.

Should I actually go READ that Q-article quoted above? Maybe that has a workaround in it...

Hmm, checked that Q article, wasn't a work-around for my issue...

The KB article isn't likely your issue.

Sounds like you're letting the users build their XP machines. Have them join or create a Workgroup during setup. Create the machine account, then have them do System Properties -> Computer Name -> Change. They will be prompted for a local account with sufficient rights to join the domain (even if they are already logged in as Administrator). Type it in, hit ok a few times, reboot, viola.

-Bryce

I don't want to have to walk to their machines either during or after setup, though. I didn't have to do it with NT4 and I shouldn't have to do it with AOL OS.

Also, instructions for joining a workgroup first, then a domain later, are asinine, Windows should not make you do that.

Wait, unless you're saying that they simply need an account on THEIR pc that's in their LOCAL administrators group and it'll work?

That might be the trick... HMMMMM....

If that's true, that's just irritating. Because that same box (back in the NT4 days) needed a domain admin's password, not their password. God I hate it when they change stuff like that in the operating system!

Yes, the user needs to be admin on the local box. If your users are building their own boxes (which is how I read the situation), that is a non-issue.

If you are actually doing unattended installs, I saw something about that in the KB with a work-around. Try searching for "XP domain unattended".

If you want the Network Identification Wizard fixed, open a case with PSS. Seems like a valid bug to me (the wizard attempts to use the specified computer account but fails). Or post something on ntbugtraq.

-Bryce

BUMP.

I now have a user who temporarily changed his XP laptop from "Domain" to "Workgroup" and now wants to change it back. He's getting prompted for an administrator password to join the XP box to the domain again. There's still no way to just tell it "the box account already exists, just use it again."

Anyone?

Anyone?

You're right -- there is no way to do it. As I understand the NTLM domain mechanics, there's theoretically no way to provide this facility.

It goes something like this:

When you join the machine to the domain, a machine account is created for the machine, and the machine gets the relevant encrypted magic that associates it with the machine account.

When you remove the machine from the domain, this magic is deleted.

Thus, there's no way of reconnecting the machine to the existing machine account without recreating the encrypted magic (which requires talking to the domain controller) -- hence the need for the administrator password.

But you could do it on Windows NT and Windows 2000.

You could switch back and forth between "Workgroup" and "Domain" all you wanted without having to create a new box account. As long as the sysadmin didn't delete the box account from Server Manager, it would just re-use the box account.

Sure, if the workstation and server got the box account hashes desynchronized it would be a problem. For instance if you create an image of the box, and the account hash gets updated a week later, then two weeks after that you restore the image (with its stale client-side hash), then you'd have a problem.

But that's not what I'm talking about here. I'm saying:

- User is already in the domain. Box has perfectly good box account on the domain with perfectly good hash.

- User clicks "Workgroup". Welcome to the workgroup.

- User clicks "Domain". Do you want to create a computer account for this box now? No. Welcome to the domain.

That worked on NT/2000. On XP you don't get that last option, it forces you to enter an administrator's password.

On XP you don't get that last option

Hmmm. Don't know then.

I found this.


It looks like what you already know - you need to suppy credentials with domain-joining rights.

Pretty poor if you ask me, it seems a reasonable & common thing to do for notebook users.

-Zeke

Yup. Precisely.

I finally got fed up today, and gave my Domain Users the rights to add computers to the domain. Fuck it.

Why don't you just terminal serve into the machine and add the machine to the domain that way.

I have several remote clients and this is how I configure their new machines.

-cob

I am totally not a Windows admin, but can't you add a computer to the domain from the domain controller itself, essentially pre-registering it, and then when it tries, it gets in? Or is this the same situation that you're already in (except you added it a long time ago) and it's not working?

Why don't you just terminal serve into the machine and add the machine to the domain that way.

Because (a) I shouldn't have to, and (b) that is almost as much trouble as having to walk up to the machine and futz with it. I should be able to pre-add a computer name to the domain and then not worry about the exact time and place that user decides to actually connect it up.

Which brings me to Bitt's point...

I am totally not a Windows admin, but can't you add a computer to the domain from the domain controller itself, essentially pre-registering it, and then when it tries, it gets in?

That's exactly what I'm talking about, Bitt. That procedure you just described worked on Windows NT and Windows 2000. But the feature that allowed it to work is flat-out missing from XP. In the place where it would have allowed you to just connect the pre-registered computer to the domain, it now forces the user to add the computer to the domain with an administrator's username and password, instead of just allowing it to use a pre-existing one. That's the exact crux of the problem.

The problem happens whether I'm adding a new computer to the domain, or the user has switched from domain to workgroup and back again. Same screen, same problem.

Because (a) I shouldn't have to, and (b) that is almost as much trouble as having to walk up to the machine and futz with it. I should be able to pre-add a computer name to the domain and then not worry about the exact time and place that user decides to actually connect it up.

It still is kind of a pain but at least you don't have to (or shouldn't have to) get up from your desk

-cob

That's the exact crux of the problem.

It's almost certainly a security issue. That initially-created-but-not-yet-attached machine account can allow any PC to join the domain without any kind of checking. I'm not surprised that Microsoft removed it.

But in this case you've got a machine that has already associated itself to the domain Machine Account, and just wants to pick up where it left off, no different than if you took the laptop away from the network, logged on and off then tried to log back on to the Domain. It's not as if you've logged onto another Domain - which would overwrite the security tokens on the client machine. It's not as if just connecting to another network while disconnected from the Domain is a problem - how could it be? Connecting to a Workgroup is certainly no more dangerous than using the internet.

You've always needed an Admin account/password to initially join a machine to a freshly minted machine account on a Domain. It's needing it to re-join the Domain that's the rub.

-Zeke

I'm not sure exactly how they do it here, but I can join my computer to the domain at any time, but only my computer. Thus, typing my domain account info is valid to join computer A to the domain, but not Computer B.

To request a new computer to be joined, we either fill out a web form or call IT (and they do the same process with the extra field of "username").

So there are ways to limit this. I'll try asking around and see if the IT guys on site know how it works.

That's most likely because 'Computer A' already has an account in the Domain already, while 'Computer B' would not. Your IT folks would take the form you submitted and create an account for 'Computer B' to join, then when you tried to join B to the Domain it would work.

Is your computer XP? (sorry if you mentioned it in an above post and I missed it)

-Zeke

My computers that I have joined using this process:
Countless Windows 2000 Workstation
Countless Windows XP Professional
SuSE Enterprise 8 via Samba 2.2
Mac OS X 10.3 via Samba 3.0

So whatever is going on behind the scenes, it is working for XP as well. This includes a base XP install off a normal CD, thus nothing weird in policy manager is being changed client side to allow them to join.