IRT Logo
Infrastructure Services GROUP

IRT Information

Adding a Computer to the Domain - I

Preparation

Make sure you have a local account with administrative rights on the computer. If anything goes wrong, this account will be needed -- double-check that the password is known by logging in with it. This account cannot be the same one that you are copying the profile from. If you don’t have a separate admin account create one.

Make sure the machine is fully patched, with bigfix installed.

You will need to have an SOM domain OU account to add the computer to the domain.

Make sure the computer is locked-down using irt-security's checklist.

Make sure you TCP/IP settings are configured correctly.

Make sure the latest version of PC-leland is installed.

Make sure your computer is registered in NetDB. Your NetDB entry needs to match the Windows computer name you are using, or you will have problems that manifest themselves as slow network connectivity.

To identify which user profile is being used; have the user logon to the workstation as they normally logon. Press Ctrl, Alt and Delete. The User "Logon Information" is displayed:

Logon Information

You are logged on as Domain\User.

Configuring the computer for Windows Domain Kerberos sign-on

This registry modification we're going to use is a file distributed by ITSS.

  1. Download the Stanford kerberos interoperability registry file. You may have to right-click on the link and save the target to properly download the file.
  2. Login as administrator or an account with permission to write to the Local Machine section of the registry.
  3. Double-click the file and click OK when asked if you wish to add the information to the registry.

Setting Authentication Level

The following steps will turn off cleartext authentication on your computer, and is required to join the domain.

  1. Login with an account which has administrator privileges.
  2. Open the registry editor, use regedit.exe
  3. Browse to HKLM\System\CurrentControlSet\Control\Lsa\
  4. Change the value of lmcompatibilitylevel to 3, it might currently be 0, 1, or 2. If XP SP2 is installed this might already be set to 3.
  5. Reboot the computer.