A computer account can be blocked as a security measure to prevent users from logging on to the computer, instead of deleting the computer account.
You can block and unblock computer accounts with the Active Roles Console.
To block a computer account
-
In the Console tree, locate and select the folder that contains the computer account you want to block.
-
In the details pane, right-click the computer account and click Disable Account.
NOTE: Consider the following when blocking a computer account:
-
When you block a computer account, the computer cannot authenticate to the domain until the account has been unblocked.
-
The Disable Account command is displayed if the account is unblocked; otherwise, the Enable Account command is displayed on the menu. By using the Enable Account command you can change the status of the blocked account.
The Enable Account option appears only for blocked computer accounts. Blocked computer accounts are marked with the icon.
To unblock a blocked computer account
-
In the Console tree, locate and select the folder that contains the computer account you want to unblock.
-
In the details pane, right-click the computer account and click Enable Account.
NOTE: The Enable Account command appears if the account is blocked; otherwise, the Disable Account command appears on the menu.
A computer account is normally reset if the computer has been taken offline and completely reinstalled. Resetting the account allows the (rebuilt) computer to rejoin the domain using the same name. If the computer account is reset whenever the computer has not been reinstalled, the computer cannot authenticate in the domain.
To reset a computer account, right-click the account, and click Reset Account. This command resets the computer account password.
NOTE: You cannot reset the password of Domain Controllers (DCs) with the Reset Account command.
You can add Active Directory computer accounts to a group with the Active Roles Console.
To add a computer account to a group
-
In the Console tree, locate and select the folder that contains the computer account you want to add to a group.
-
In the details pane, right-click the object, then click Add to a Group.
-
Use the Select Objects dialog to locate and select the group to which you want to add the computer account (you can select more than one group).
NOTE: Consider the following when adding an object to a group:
-
In the Select Objects dialog, you can select groups from the list or type group names, separating them with semicolons. Click Check Names to verify the names you type. If Active Roles cannot find a group, it prompts you to correct the name.
-
You can add multiple objects to a group at a time: Select the objects, right-click the selection, and click Add to a Group. To select multiple objects, press and hold down Ctrl, then click each object.
When you select multiple objects, the Member Of tab lists the groups to which all the selected objects belong. If one of the objects does not belong to a given group, that group does not appear in the list.
-
You can also add or remove objects from groups by using the Properties dialog: Select one or more objects, right-click the selection, click Properties, and go to the Member Of tab in the Properties dialog.
-
On the Member Of tab, you can manage groups directly from the list of groups. To manage a group, right-click it, and use commands on the shortcut menu.
-
The Member Of tab lists the groups to which the object belongs. If the Show nested groups check box is selected, the list also includes the groups to which the object belongs owing to group nesting.
-
You can also add the object to groups by clicking Add on the Member Of tab. This displays the Select Objects dialog, allowing you to select the groups to which you want to add the object.
-
The Temporal Membership Settings button can be used to specify the date and time when the object should be added or removed from the selected groups. For more information about this feature, see Using temporal group memberships.
-
By adding an object to a group, you can assign permissions to all of the objects in that group and filter Group Policy settings on all objects in that group.
-
To locate objects you want to add to a certain group, use the Find function of Active Roles. Once you found the objects, select the accounts in the list of search results, right-click the selection, and click Add to a Group.
You can remove computer accounts from Active Directory groups with the Active Roles Console.
To remove a computer account from a group
-
In the Console tree, locate and select the folder that contains the computer account you want to remove from a group.
-
In the details pane, right-click the computer account, then click Properties.
-
On the Member Of tab in the Properties dialog, clear the Show nested groups check box, select the group from which you want to remove the computer account, and click Remove.
NOTE: Consider the following when removing an object from a group:
-
If you have not cleared the Show nested groups check box, the list on the Member Of tab also includes the groups to which the object belongs indirectly, that is, because of group nesting. If you select such a group from the list, the Remove button is unavailable. An object can be removed only from those groups of which the object is a direct member.
-
You cannot remove objects from their primary groups. Instead, you can change the primary group of an object. To do so, on the Member Of tab, select a different group from the list, then click Set Primary Group.