At IU, in Windows 2000 or XP Professional, how do I configure my computer to connect to IU's Active Directory Services Domain?

Note: The directions below allow you to connect to the Active Directory Services (ADS) Domain at Indiana University by creating a new user profile on your workstation. When you log into ADS using this new profile, none of the settings from your previous user profile will apply (e.g., Task Manager icons, desktop files, Outlook configuration). To restore these settings, you must copy your old user profile over to the new one. For instructions, see In Windows, what is a user profile, and how do I copy one user profile to another?

To connect your Windows 2000 Professional or XP Professional computer to the ADS Domain, follow these instructions:

If you're not sure of the local administrator password, reset it

1. From the Start menu, select either Control Panel, or Settings and then Control Panel. Open Users and Passwords.
   
   
2. Select a user that has the local computer's name in the "Domain" field, and Administrators in the "Group" field. By default, a built-in Windows 2000 account with the username Administrator meets these criteria. Highlight that account, and click the Reset Password button.
   
   
3. Enter the new password in both the "New Password" and "Confirm" fields. Be sure to remember this password.

Join your computer to the ADS Domain

1. Right-click the My Computer icon and, from the menu that appears, select Properties.
   
   
2. In the Systems Properties window, in Windows XP, select the Computer Name tab and click the Change button. In Windows 2000, select the Network Identification tab and click the Properties button.
   
   
3. Under "Member of", one radio button will be selected, showing whether your computer is a member of a domain or a workgroup. If your computer is a member of a domain, follow the instructions in this step. If your computer is a member of a workgroup, skip to step 8.
   
   
   1. In the Computer Name Changes window (Windows XP) or Identification Changes window (Windows 2000), under "Member of", select the Workgroup radio button.
   2. In the "Workgroup:" field, type a temporary name and click OK.
   3. A Network Identification dialog box will appear. Click OK.
   4. You will then see another dialog box reminding you to reboot your computer. Click OK. The computer will restart.
   
   
4. Navigate back to the Computer Name Changes (XP) or Identification Changes (2000) dialog box. Then, in the "Computer name:" field, you must type a new computer name that complies with the ADS Domain naming convention. The naming convention requires names with the following components:
   
   
   1. A two-character campus code followed by a dash:
      
      
      • BL for Bloomington
      • EA for East
      • FW for Fort Wayne
      • IN for Indianapolis
      • KO for Kokomo
      • NW for Northwest
      • SB for South Bend
      • SE for Southeast
      
      
   2. A four-character department code followed by a dash
   3. A unique computer name up to seven characters in length

      Note: Do not insert any spaces in the computer name.

   For example, a University Information Technology Services (UITS) departmental computer at the Bloomington campus named "NAME" would be renamed "BL-UITS-NAME".
   
   
5. At this point, you should reboot your computer.
   
   
6. After the computer has restarted, log back in. You most likely will have to log in as Administrator, or as a user with the rights to make the changes necessary. Right-click the My Computer icon and, from the menu that appears, select Properties.
   
   
7. In the Systems Properties window, in Windows XP, select the Computer Name tab and click the Change button. In Windows 2000, select the Network Identification tab and click the Properties button.
   
   
8. In the Identification Changes window, under "Member of", select the Domain radio button. In the "Domain:" field, type ads.iu.edu .
   
   
9. Click the More... button.
   
   
   • In the "Primary DNS suffix of this computer:" field, enter ads.iu.edu .
   • Check the box next to Change primary DNS suffix when domain membership changes.
   • Click OK.
   
   
10. You will then be prompted with the Domain Username And Password window for authentication. In the "Name:" field, type your username preceded by ADS\ . In the "Password:" field, type your password. Click OK.
    
    
11. A Network Identification dialog box will appear. Click OK. You will see another dialog box reminding you to reboot your computer. Click OK.
    
    
12. Click OK to close the Identification Changes window. You may see a warning icon in the bottom portion of the Systems Properties window reminding you to reboot the computer. Click OK.
    
    
13. You will see a System Settings Change dialog box. Click Yes to automatically reboot your computer.

Note: When you log into your computer after it reboots, in the "Domain:" field of the login prompt, select IU.EDU to log into the Active Directory Kerberos domain.

By default, ADS accounts will have user-level rights. For information on how to give other levels of rights, see At IU, in Windows 2000, XP, or Vista, how do I give myself or other users login privileges on my computer?

Further information

In most cases, computers directly on the IU network (i.e., physically present and on the IU network, not wireless or off campus) should be joined to the Active Directory if able. Some departments require it. Others do not, but even in those cases, UITS recommends it.

In general, the following guidelines apply:

• If you or other users want or need to take advantage of one-time-per-session domain authentication (for example, if Outlook is used regularly to access Exchange accounts, or if users regularly map drives or print to networked printers), the computer should be joined. If it is not, you and the other users will end up entering your passwords separately for each service or resource you access.
  
  
• If the local support provider (LSP) or local departmental administrator controls computer and network security through Group Policy Objects, the computer must be joined.
  
  
• If many different IU users use the computer, it should be joined. Otherwise, you will have to create a local account for each individual user, or one "general" local account accessible by everyone. That last option is not very secure, because on that computer everyone would have access to everybody else's files, and everyone would know the one login name and password.

But there are cases where you may not want to join the computer.

If the computer is a portable one, or otherwise accesses the network wirelessly, you may want to avoid joining. You will not get the benefits mentioned above (once-per-session domain authentication, security through Group Policies, network management of user accounts), but you will simplify the act of logging in.

An Active Directory-joined computer will normally need to communicate with the network to log you in (two exceptions are mentioned below). At IU, that means a wireless computer needs a VPN connection first. Windows is able to log into a domain through a VPN connection, and in fact has no problem doing it, but relying on such a connection when logging in adds complexity as well as a potential point for problems to arise. Although Windows can easily work in this situation, and there are safeguards against problems (cached credentials will let you log in without a connection; so will logging into a local rather than an ADS account), you can avoid possible problems by not joining the Active Directory in the first place. You will have to weigh the potential for problems against the loss of benefits when deciding whether to add a computer to the Active Directory.

Also see:

• At IU, what naming conventions are recommended for Windows computers and groups?
• In Windows 2000 and XP, what is Active Directory?
• At IU, in Windows 2000 or XP Professional, how do I log into my workstation with administrative rights using my ADS Domain account?
• In Windows 2000 and XP, why should I join my computer to a domain?