Wholesale management of machine accounts

As I explained last month, Supplement Three of the Microsoft Windows NT Server 4.0 Resource Kit is now available. Supplement Three's highlight is its new NT utilities, but the supplement also includes improvements to some old friends, including Netdom. In the March "This Old Resource Kit," I looked at Netdom's trust-management capabilities.

This month, I'll look at the member option of Netdom's Supplement Three version, which makes managing many machine accounts easy.

Adding Accounts to a Domain
One common method for getting a machine to join a domain involves using Server Manager to create a machine account, then sitting down at the machine you want to add and telling it to join the domain. Another method requires you to start the target computer, tell the system's Setup program to join the domain, and enter a domain administrator's username and password. Neither of these processes lets you work remotely, so neither is ideal for adding machine accounts in bulk. To tell machine B to join domain C while you're sitting at machine A, you need Netdom's member option.

Suppose you want a computer named Fido to be a member of a domain named Bowsers. Log on to any NT machine that has the resource kit. Open a command prompt, and type

netdom /domain:bowsers member \\fido /joindomain

This command line tells your NT machine to find the PDC for Bowsers and create a machine account for Fido, then locate Fido and instruct Fido to log on to Bowsers the next time Fido powers up. If the machine you're working at is a member of the Bowsers domain, you can leave off the /domain: parameter.

Netdom has one requirement: You must be a domain administrator for Bowsers and a local administrator for Fido. Suppose Fido is a functional NT workstation that hasn't joined a domain, and you're trying to issue the Netdom command for Fido from another machine (I'll call it Mastiff). The first part of the Netdom command locates the PDC and asks it to create a machine account for Fido. If you logged on to Mastiff with a domain administrator account, the PDC creates a machine account for Fido without a problem. Then, the second part of the Netdom command contacts Fido and instructs Fido to join Bowsers. But before Fido follows your command to join the domain, it must recognize you as a local administrator. You need to establish your administrative credentials with Fido before you use Netdom. If Fido has a local administrative account named Marco and that account has the password polo, you can establish those credentials by typing

net use \\fido\ipc$ /user:marco polo

before you type the Netdom command line.

Other Netdom Member Commands
Netdom's member option lets you do some other neat things. Suppose you want to detach Fido from Bowsers. You need to tell Fido to stop logging on to Bowsers and delete Fido's machine account. The command line

netdom member \\fido /joinworkgroup bowsers

tells Fido that it's no longer a member of a domain; instead, it's a member of a workgroup named Bowsers. (You don't need to give the workgroup the same name as the domain.) The command line

netdom member \\fido /delete

tells NT to find a PDC and zap Fido's account.

In addition, you can use the command line

netdom member \\fido /query

to find out Fido's domain-membership status. And

netdom member \\fido /add

tells NT to create a machine account for Fido in Bowsers but doesn't tell Fido to log on to the domain under that account. Netdom lets you do things from the command line that used to require a lot of walking around.