Allowing password resets for computer accounts

If you use Access Manager and the Prepare UNIX Computer wizard to create a computer account before joining the domain, you can select the Allow the computer to join itself to the zone option to set the permissions required for a computer to manage its own account. If you use Active Directory Users and Computers to create a computer account, however, you need to manually modify the permissions for the account.

By default, most computer accounts do not have permission to reset their own account password. This prevents the delegation of administrative rights for the computer to the local computer account. If you want to give a computer account administrative rights in a zone, you need to modify the computer account to allow password resets. In addition, allowing a computer account to update its own properties enables Access Manager to display the agent version and maintain operating system information for the computer account.

Checking for the appropriate permissions

To check whether a computer account allows password resets, you can view the permission settings for the account.

Assigning administrative rights to computer accounts

After you have checked the Active Directory permissions for a managed computer account and modified them, if necessary, you can assign zone administrative rights to the account through Access Manager.