Computer  accounts are created when a computer or server joins the domain. They are placed in the computers folder by default.

To gain the full benefit of computer accounts, move them to an OU you have created because the computers folder can not have a group policy linked to it.
You can use Redircmp command line program to specify a different default location.

eg. redircmp “ou=NewCompOU,DC=frankfu,DC=com”

Manually create

  • The computer or server is subject to group policies immediately on joining the domain.
  • Administrator does not have to move the computer account
  • The administrator does not need to give the user ” add workstation to domain” right to the user.
    By default the “Authenticated user group” is granted the ” Add workstation to domain” right, a user in it can add up to 10 computer accounts in the domain. Administrator can deprive this right through group policies.


Administrator can not manage the computer account’s password, which each computer changes automatically every 30 days.

Problem :

If the password become unsynchronized between the computer and AD , the computer can no longer access the domain. Password can become unsynchronized if a computer has been turned off or is otherwise can’t communicate with the DC for an extended period.

Error message: ” The trust relationship between this workstation and the primary domain failed” when you logon the computer with a domain user account.


From server side:

Step 1. Reset the password by right-clicking the computer object in the  “Active Directory Users and Computers” and clicking “Reset Account”.

Step 2. The computer leave and rejoin the domain.

From client side:

Login the member server with local admin account, user CMD:
Netdom join %computername% /domain:Mydomain /userd:Mydomain\Mylogin /passwordd:*

Command line
  • DSADD: adds objects to AD, used mainly for adding account objects but can also be used to create OUs and Contacts
  • DSGET: displays an object’s properties.
    eg. Show to which groups the user belongs to:
    C:\Users\Administrator>dsget user “CN=Frank Fu,OU=IT,dc=frankfu,dc=com”  -memberof”CN=ITtechnicial,OU=IT,DC=frankfu,DC=com” “CN=FileServer,CN=Users,DC=frankfu,DC=com” “CN=Enterprise Admins,CN=Users,DC=frankfu,DC=com” “CN=Backup Operators,CN=Builtin,DC=frankfu,DC=com” “CN=Administrators,CN=Builtin,DC=frankfu,DC=com” “CN=Domain Users,CN=Users,DC=frankfu,DC=com”
  • DSMOD: Modifies existing AD objects.
  • DSMOVE: move objects in a domain to another folder or OU or Renames the objects(like linux).
  • DSQUERY: Finds and displays objects in AD that meet specified criteria.
  • DSRM: removes deletes objects.


DSADD objectType objectDN [-optionname optionValues]

  • ObjectType:  typically user or group.
  • ObjectDN: object distinguised name (DN), which includes the full path in AD. The path is specified by starting with the object name, followed by each parent container object up to the top-level domain name.
    Each component of the path is separated by a comma. The components of the DN are:
  • CN( common name): the name of the object.
  • CN: the CN component can be repeated if the object is in a folder.
  • OU: This component represent the OU where the object locates. It’s repeated for as many levels as necessary, starting with the lowest OU level.
  • DC( domain component): each part of the domain name is specified separately until the top-level domain name is reached.

Eg. a user account named Bsmith(Bill Smith) in the sales OU, which is in the parent OU ” marketing”, in the domain:

DSADD user CN=Bsmith,OU=sales,OU=marketing,DC=asia,DC=w2k8ad99,DC=com -fn Bill -ln Smith

-fn Bill -ln Smith is the option value.

Eg. a computer account named New computer in the computer folder in the same domain as above:

DSADD computer "CN=New computer, CN=computers, DC=w2k8ad99, DC=com"

Note that: The quotation marks around the distinguished name path are required if the path contains any spaces, including the space after commas. The first example has no space but the second one do.


Construct the command once in a batch file with a placeholder for the unique information that varies each time the command is used.

Eg, create a bat file named uadd.bat:

DSADD user "CN=%1,OU=sales,OU=Marketing,DC=w2k8ad99,DC=com" -fn %2 -ln %3 -pwd Password01 -memberof Sales-G -mustchpwd yes

This command creates a user in the specified container and domain, assigns the password Password01, places the user in the Sales-G group, and requires the user change the password at next logon. %1, %2, %3 are variables replaced with username, firstname and last name.

Then run the uadd.bat file to create a user named Susan Martin with username SMartin:

uadd SMartin Susan Martin

SMartin will be plugged into the first variable, Susan into the second one, Martin into the third one.

Verify the trust in domain:

One of those issues is when a domain-joined computer loses its trust with the domain.

netdom verify computername /Domain:domain_name /uo:user_name /po:password

The Powershell Test-ComputerSecureChannel can do the same job, for more info check here:

Bulk import and export with CSVDE and LDIFDE


CSVDE: only create objects in Active Directory. For more check here.

Drawback: can not set passwords with it, so all accounts are disabled until you create a password for each.

LDIFDE: Create or modify objects



This PowerShell Command will query Active Directory and return the computer accounts which have not logged for the past  60 days. You can easily change the number of days from 60 to any number of your choosing. lastLogonDate is a Human Readable conversion of the lastLogonTimeStamp (as far as I am able to discern.

$then = (Get-Date).AddDays(-60) # The 60 is the number of days from today since the last logon.

Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | FT Name,lastLogonDate

# If you would like to Disable these computer accounts, uncomment the following line:
# Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Set-ADComputer -Enabled $false

# If you would like to Remove these computer accounts, uncomment the following line:
# Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Remove-ADComputer

Batch move computer to a OU according to the computer name:

If the computer start with vg14-LIB, then move to

Get-ADComputer -filter 'Name -like "vg14-LIB*"' | Move-ADObject -TargetPath 'OU=VG14, OU=you_domain, DC=au'