Benefits of Joining the Netid Domain
1) You can designate any one you want to be able to log in to the PC, so you don’t need to have a shared account with a sticky note with the password on the monitor.
2) It’s easier and more secure to connect to network shares–since users won’t be tempted save their netid password on the PC so that they don’t have to enter it to connect to the network shares.
3) You can connect to the EDW using windows authentication.
4) There are probably other benefits that UW-IT would evangelize, but that’s what I want out of it.
What You’ll Need
You need to have your own “delegated OU” which is a place where UW-IT allows you to create computers.
The computer names will all start with the delegated OU as the prefix, then whatever you want, up to 15 characters. For example, our delegated OU is FMDATA, and the first computer I joined to the netid domain was FMDATA-CNU1430N
What happens if (when) you fail.
If you try to join your pc to the netid domain and do pretty much anything wrong, the next time you boot the PC it will say:
Access Restricted: because it is in violation of UWWI delegated OU Policy.
It also, very unhelpfully I might add, locks all the local user accounts so that it’s now impossible to log into the computer. The only account which can possibly log in is the local account: Administrator this account is a security liability and is probably disabled by default. You can re-enable it and reset it’s password by:
1) Download Ultimate Boot CD http://www.ultimatebootcd.com/
2) Burn this iso to cd on another computer and boot the failed domain join computer with the CD in the drive.
3) Select HDD -> Data Recovery -> Offline NT Password & Registry Editor
4) On my test computer, I entered 1 (for sda2)
5) Enter 1 (password reset)
6) Enter 1 (Edit user data and passwords)
7) Type the RID for Administrator
8) Enter 1 (Clear user password)
9) Enter 2 (Unlock and enable user account)
10) Enter q (Quit Editing User)
11) Enter y (Save Data)
12) Remove CD and press ctrl+alt+del to reboot.
When the computer reboots, click log in as another user, enter: “.\Administrator” as the user and hit enter (leave password blank).
the “.\” before the username indicates that this is a local account, the “Sign in to:” indicator will change to the computer name if a domain is (mis)configured.
IMPORTANT! After you join this computer to the domain, undo this security liability!
Log in as an administrator and domain user, then right-click start, click Computer Management -> Users and Groups -> Users -> Administrator
Check Account is Disabled. Click OK.
1) Ask UW-IT for a Designated OU
Go to this link for the Delegated OU Request Form
When the page asks for username/password, use ‘netid\yournetid’ (ie: netid\curreri) and your netid password.
I made the desired ou name and the computer namespaces the same. I don’t know why you’d want these to be different.
Initial OU Administrators: You need two admins with entrust tokens with SADM accounts. In this line you should put: sadm_yournetid sadm_secondnetid (ie: sadm_curreri sadm_dynamo). If you don’t have SADM accounts, visit this link: http://www.washington.edu/itconnect/security/uw-netids/about-uw-netids/admin-uw-netids/
UW-IT will create your OU and these UW Groups, and add your two sadm_ users to them:
The only one I used was:
Pre-install Computer Name into OU
You add the computer name to the OU first, using something UW-IT calls ADUC, and the internet calls Active Directory Users and Computers.
You need a computer which is on NetID already to do this. A Nebula computer will work (that’s what I used). If you don’t have access to a computer on either of these domains, ask UW-IT to add the first computer for you, then follow the instructions on that PC to add subsequent PC’s.
From your Netid or Nebula computer, you need to run ADUC as sadm_yournetid.
I’m on Windows 8.
I clicked start, then started type “Active Directory Users and Computers” when you see it appear, right click it and pin it to the start screen.
In Windows 7 you can hold shift and right click, then you get Run as a different user.
That wasn’t happening for me on Windows 8, so I googled and did some things, I think this is what enabled the option to show up:
Anyway, so 1) shift+right-click, Run as a different user.
2) netid\sadm_yournetid as the username, and your sadm_netid.
When it asks for elevated privileges to run, click use another account, then:
netid\sadm_yournetid as the username, and your sadm_netid password again.
3) Right-click on nebula2.washington.edu and change domain to netid.washington.edu
Quick Note: If you’ve messed up adding a computer before, you should check if
netid.washington.edu -> Unclaimed Computers has anything you made in there, if so, delete it.
4) Browse to netid.washington.edu -> Delegated -> ouNameYouChose (ie: fmdata)
5) Right-click, then New -> Computer
6) At this point, you’ll hit the image in the Manual Creation screen on this link that UW-IT loves to send out:
Follow that image. In case it changes in the future, you want:
Computer name: ounameyouchose-something. (ie: FMDATA-CNU1430N) Make sure you don’t go over 15 characters.
Computer name (pre-Windows 2000): Same as Computer name:
Click Change on User or Group and make it:
u_windowsinfrastructure_ounameyouchose_computerjoiners (ie: u_windowsinfrastructure_fmdata_computerjoiners)
This just means that all of the sadm_ accounts which have access to your ou can add this computer you are pre-creating to the domain. If you know you are going to join the computer, you could put sadm_yournetid here, but you get the style points for using the group.
OK Now we are done with UW-IT instructions again, close that addComputer.aspx page right down.
Join the Computer to the domain
Finally! We can go to our PC which we want to join to the domain. This is for a Windows 10 PC. Windows 7 works the same way too, you’ll just need to find “System” and “Computer Management” in the Control Panel yourself.
1) Log in as a local administrator
2) Right-click Start, click System
3) In the Computer Name, domain, workgroup settings section, click Change settings
4) Click the Change… button next to: To rename this computer or change its domain…
5) Click More…
6) Primary DNS Suffix of this computer: clients.uw.edu
7) Click OK
8) Computer name: ouNameYouCose-something (ie: FMDATA-CNU1430N)
9) Click OK and Reboot (don’t set the domain yet!)
10) After rebooting, Log in as a local administrator
11) Right-click Start, click System
12) In the Computer Name, domain, workgroup settings section, click Change settings
13) Click the Change… button next to: To rename this computer or change its domain…
14) Select Member of: [x] Domain: and type in netid.washington.edu
15) Click OK
16) You should get a box asking for you to log in as a domain admin. Use: netid\sadm_yourname
17) Don’t reboot yet!
18) Right-click Start -> Computer Management
19) Click Local Users and Groups -> Groups -> Administrators -> Add…
20) Enter something here. You can individually add UWNetID’s. The best thing to do though is create a UW Group (https://groups.uw.edu) and add people in there. That way when someone leaves their position, you just need to update the UW Group and you don’t need to visit every workstation to update which netid’s are allow to be admin. Our group (what I used here) is: uw_f2_DATAGroup_WorkGroup
21) Click Check Names (this should not give an error–you may need to login with sadm_yournetid, but then it should underline the group name on success).
22) Click OK, OK, Restart the computer
23) Click ‘Switch Users’ or ‘Other user’ or something like that, then enter your netid username and password.
Quick note, your netid user is a new user. Local Users that were on the computer are still there. I went into computer management and manually deleted the local users, and deleted the corresponding folders from c:\Users (the data is there if you need to migrate it).