Hello. I am offering slightly different info/experience. Both because I am serious and because I like to take up unpopular stands. :o)
If you have printer or MQ objects or other objects hanging off the computer object either delete the object and all subobjects or remove the subobjects. For just a plain jane stanalone computer object I see nothing wrong with resetting the password on the account and rejoing. In fact that is a very common practice in our company for Dev server accounts because there are only 3 people in the entire company that can create the server computer objects in the right place and if a server account pops up someplace else we promptly "jail" it. We create the accounts with some delegated rights for join (one of which allows password reset) to some given domain local group. When the people in that group need to rebuild the machine they rebuild it, reset the password on the account, and then rejoin. We have developer machines that have had this done hundreds of times. There is a lot of chatter concerning the computer's SID. The SID of the computer and the SID of the computer object are NOT the same. I am not positive that the computer maintains a copy of its domain SID on itself though I expect it may (Does Mark Russinovich watch this list at all? He would know.). Irregardless they are separately created and maintained. This is easy to see, dump the sid of the computer object which will have the domain sid (adfind -gc -b -f name=machinename objectsid) and then dump the sid of the machine (sideways method is to use getsid to get the sid of an account and strip off the last security identifier field like -500 or -501). Look at them, they are different. C:\WINDOWS>adfind -gc -b -f name=mainpro objectsid AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003 Using server: w2kasdc1.joehome.com dn:CN=MAINPRO,CN=Computers,DC=joehome,DC=com >objectSid: S-1-5-21-1275210071-789336058-1957994488-218311 1 Objects returned C:\WINDOWS>getsid \\mainpro guest \\mainpro administrator The SID for account MAINPRO\guest does not match account MAINPRO\administrator The SID for account MAINPRO\guest is S-1-5-21-1220945662-1682526488-1060284298-501 The SID for account MAINPRO\administrator is S-1-5-21-1220945662-1682526488-1060284298-500 C:\WINDOWS> SID1: SID of computer object is S-1-5-21-1275210071-789336058-1957994488-218311 SID2: SID of computer itself is S-1-5-21-1220945662-1682526488-1060284298 SID1 != SID2 As for the removing the account from the domain when unjoining. This doesn't occur as I think has been worked out. At most I have seen it disable an account though even that isn't always done depending on what the context of the user is that does the unjoin. If the user doesn't have permissions to write the computer's useraccountcontrol she wouldn't be able to disable the account. Hope that helps out. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi Sent: Sunday, December 28, 2003 8:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Upgrading computers and computer objects I'm curious what is the best practice or recommended way for the following case: I have several computers that are joined to the domain, and I'm going to upgrade some of thse computers with a different computer (newer), though the UNC name of these computers will remain the same. Should I: 1. Remove the old computers from the domain, install the new computers, and join them to the domain? 2. Since there are several computers, can I just delete the corresponding computer objects in the ADUC, install the new computers, and join them to the domain? 3. Just put the new computers in place, and join them with the same name? So far, I'm doing the second way, because I think it is the cleanest way. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
