About domain-joined computer name modification

Recently renamed the domain-joined client, due to the large number of computers and the more dispersed, the network through the IPSec link is not stable, renaming the domain and then adding domain, too cumbersome time-consuming.

For domain-joined computers, by default, only users at the domain administrator level of the computer can change, and the name cannot be changed by the normal user, which is obviously caused by permissions. Of course, ordinary users must not be able to join the Domain Admins group, in general, ordinary users have been assigned to the client computer administrator rights.

Computer accounts are automatically generated by default in the ad's computers directory while the computer is joined to a domain. By default, the Domain Computers directory has permission to read, write, and create sub-objects by the Domain Admins group, with the authenticated account reading permission. The computer name is a property of the computer account. As a result, because the normal user does not have the computer account attribute value Write permission, and causes the client cannot rename.

In the client section, the computer's name information resides in the local machine partition of the registry of the client operating system. For the structure partition of the registry, a normal user can only read local machine partitions and modify the Local users partition. Therefore, in the name modification process of the client computer, the user is required to have administrator privileges on the client computer.

WORKAROUND: 1. Ensure that the user has client administrator privileges. 2. Add the ad user or user group to the Write permission to the Computers directory (and apply it to this OU and all child objects).

This article from the "Secret Flying Tiger Space" blog, declined to reprint!

About domain-joined computer name modification