computer account

Computer Account is an account in the Security Accounts Manager database of a Microsoft Windows domain controller (or Active Directory) meaning that a particular computer is a part of a Windows Server Domain.

Sponsor: Geeky T-Shirt: Blue Screen of Death (Amazon)

What is Computer Account?

An account in the Security Accounts Manager (SAM) database of a Microsoft Windows NT domain controller (or in Active Directory of Windows 2000) that signifies that a particular computer is a part of a Windows NT or Windows 2000 domain.

Windows NT and Windows 2000 domain controllers can store three types of accounts: user accounts, group accounts, and computer accounts.

How It Works: Computer Account

Computer accounts are used by Windows NT and Windows 2000 to determine whether a particular system that a user is employing to attempt to log on to the network is part of the domain. When the NetLogon service running on a client computer connects to the NetLogon service on a domain controller in order to authenticate a user, the NetLogon services challenge each other to determine whether they both have valid computer accounts. This allows a secure communication channel to be established for logon purposes.

In order for a Windows NT server or workstation to join a domain, the machine must have a computer account created for it in the SAM database. There are two ways to create this account:

  • Use Server Manager in Windows NT or Active Directory Users and Computers in Windows 2000 to create a computer account for the machine, and then have the machine join the domain.
  • Use an administrator account to create a computer account while installing Windows NT or Windows 2000 on the server or workstation.

On Windows NT, make sure there are no open sessions with the domain’s Primary Domain Controller (PDC) before having a machine join a domain.

NOTE

Machines running Windows 95 and Windows 98 can participate in domain authentication, but they do not have computer accounts in the domain directory database. This is why the logon box for a Windows 95 or Windows 98 machine has a hard-coded domain name and can log on to only one domain. The logon box for a Windows NT machine, however, has a drop-down list that lets you select which domain you want to log on to, provided there are suitable trust relationships established between domains on the network.

TIP

If you reinstall Windows NT or Windows 2000 on a machine, you must delete the old computer account and create a new computer account, even if the machine has the same name as before.