This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 19%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Hi Team,
I remember when i was working in a company that before we can join a computer to the domain, the computer object must be create ahead in active directory.
How can Force to create a computer object before join the computer to a domain.
What setting is required to enable in GPO to enforce this.
Thanks..
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 82%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFM%3C/text%3E%3C/svg%3E)
Hi jhon, did you find a solution to your question? I need it too. Thanks.
thanks for the suggestion, but this is no a solution for me, as mentioned:
I remember when i was working in a company (mid 2013) that before we can join a computer to the domain, the computer object must be create ahead in active directory.
I think that must be an option in GPO - Domain Controller Policy that we can use to enforce this
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I don't believe there is any such standard GPO policy.
--please don't forget to upvote and Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 59%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
AFAIK, there is no option in Group Policy to create or enforce the creation of a computer account in case it does not exist.
The policy you may think about is the following:
Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment / Add workstations to domain
This policy will define who is able to add computers to the domain. The process of creating the computer account is not a GPO setting.
What you can do is using a PS script like DSPatrick mentioned to create computers objects in the correct OU before the computer will join the domain. This is probably the best option in case you don't want to delegate permission on a specific OU.
hth
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 62%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
To keep even admins from joining machines to the domain without creating the account first in the correct OU either by ADUC or a script is to lock down the computers container in ADUC under security then deny users and admin the right to create accounts in that container that way they cannot join it without creating it first. Hope that helps someone else trying to do the same thing.
