Allowing password resets for computer accounts

If you use Access Manager and the Prepare UNIX Computer wizard to create a computer account before joining the domain, you can select the Allow the computer to join itself to the zone option to set the permissions required for a computer to manage its own account. If you use Active Directory Users and Computers to create a computer account, however, you need to manually modify the permissions for the account.

By default, most computer accounts do not have permission to reset their own account password. This prevents the delegation of administrative rights for the computer to the local computer account. If you want to give a computer account administrative rights in a zone, you need to modify the computer account to allow password resets. In addition, allowing a computer account to update its own properties enables Access Manager to display the agent version and maintain operating system information for the computer account.

Checking for the appropriate permissions

To check whether a computer account allows password resets, you can view the permission settings for the account.

  1. Open Active Directory Users and Computers, expand the domain, and select Computers to find the computer account to which you want to assign administrative rights.
  2. Select the computer account, right click, then select AD Properties.
  3. Click the Security tab, scroll down the list of group or user names and select SELF.
  4. In the list of Permissions for SELF, scroll to the Reset Password permission, click Allow, then click OK.
  5. Select the computer account, right-click and select Reset Account, then click Yes. When the account is reset, click OK.

Assigning administrative rights to computer accounts

After you have checked the Active Directory permissions for a managed computer account and modified them, if necessary, you can assign zone administrative rights to the account through Access Manager.

  1. Open the Access Manager console.
  2. In the console tree, select Zones, and if necessary, Child Zones, then select and expand the zone in which you are interested.
  3. Right-click, then click Delegate Zone Control.
  4. Click Add, select Computer from the Find list, then click Find Now.
  5. In the results, select Domain Computers, click OK, then click Next.

  6. Click Join computers to the zone and optionally, Remove computers from the zone, then click Next.

    Note:   In most cases, these are the only administrative tasks you should assign to the computer account. You can, however, give the account additional rights, if needed. For information about the permissions associated with each delegated task, see thePlanning and Deployment Guide.

  7. Click Finish.