WORKING WITH COMPUTER ACCOUNTS

11

WORKING WITH COMPUTER ACCOUNTS

Chapter 8

Chapter 8: WORKING WITH COMPUTER ACCOUNTS 2

CHAPTER OVERVIEW

• Describe the process of adding a computer to an Active Directory domain

• Create and manage computer objects• Troubleshoot computer accounts


UNDERSTANDING COMPUTER OBJECTS

• Logical representation in Active Directory of the physical computer object

• A mean to track computers belonging to the domain

• User cannot log on to the domain from a computer without a computer account in Active Directory

• Can be granted permissions to other objects• Inherit group policy settings from domains,

sites, and OUs• Can be made a member of a security and

distribution group and inherit group permissions


CREATING COMPUTER OBJECTS

• Computer object must exist in Active Directory before computer can be joined to the domain.

• Computer object can be created using Active Directory Users and Computers or a command-line tool such as Dsadd.

• Computer account can also be created during the domain joining process.

• Computer account SID is stored in Active Directory computer account object

• Prevent a rogue computer from accessing the network


COMPUTER ACCOUNT AUTHENTICATION

• Computer authenticate before user account is authenticated

• Client computer and Domain Controller mutual authentication

• Authenticate using computer account and password• Account name

• Up to 63 characters• Pre-Windows 2000 the first 15 characters

• Password is generated automatically and kept hidden

• Account name up to 63 characters• Pre-Windows 2000 the first 15 characters


CREATING COMPUTER OBJECTS USING ACTIVE DIRECTORY USERS AND COMPUTERS

Permission Requirements:

AdministratorsAccount OperatorsDelegated control


CREATING COMPUTER OBJECTS USING DSADD.EXE

• Allows computer account creation to be scripted

• Provides a mechanism to create large amounts of computer accounts at one time

Example:

DSAdd computer “CN=MyComputer,CN=Computers,DC=MyCompany,DC=Com”


CREATING COMPUTER OBJECTS USING NETDOM.EXE

• Command-line utility• Simpler to use than Dsadd• Must be extracted from the support.cab

archive in the \Support\Tools folder on the Windows Server 2003 installation CD or install by running suptools.msi

Example:

Netdom add MyComputer /Domain:Contoso.com /UserD:Admin

/PasswordD:Secret /OU:Organization


JOINING COMPUTERS TO A DOMAIN


JOINING A DOMAIN USING NETDOM.EXE

• Allows computers to be joined to the domain from a command line

• Allows scripts to be developed to streamline the process of joining a computer to a domain

• Netdom join …..


CREATING COMPUTER OBJECTS WHILE JOINING THE DOMAIN


JOINING A DOMAIN DURING OPERATING SYSTEM INSTALLATION


LOCATING COMPUTER OBJECTS

• The Computers container• The Domain Controllers OU


LOCATING DC COMPUTER OBJECTS

• Computer accounts for domain controllers are placed in the system-created domain controllers OU by default.

• The Default Domain Controllers Policy GPO is applied to the container.


LOCATING OTHER COMPUTER OBJECTS

• Non–domain-controller computer accounts are placed in the Computers system-created container by default.

• Computer container does not support group policy


REDIRECTING COMPUTER OBJECTS

• Allows an alternative default location for computer accounts to be specified.

• Use the Redircmp.exe command-line utility.• Works only on Windows Server 2003 domain

functional level.• Automatically redirects all computer accounts• Can be overridden by explicit computer

account creation commands.

Example: Redircmp ou=Workstations,DC=contoso,DC=com


MANAGING COMPUTER OBJECTS

• Computer objects have properties.• Can be viewed and configured through

Active Directory Users and Computers


MODIFYING COMPUTER OBJECT PROPERTIES


DELETING, DISABLING, AND RESETTING COMPUTER OBJECTS

Deleting• Removes the computer account from Active

DirectoryDisabling• Prevents the computer from being used to

log on to the domainResetting• Reestablishes relationship between a

computer and Active Directory


DELETING COMPUTER OBJECTS

• Manually through Active Directory Users and Computers

• Automatically by changing the domain membership on the computer

• Using a command-line tool such as Dsrm


DISABLING COMPUTER OBJECTS


RESETTING A COMPUTER OBJECT

• Necessary when replacing or upgrading a computer system

• Allows an appropriately named new system to use an existing computer account

• Allows computer account password on the computer to be synchronized with computer account password stored on the domain controller


MANAGING REMOTE COMPUTERS

• Allows you to perform management tasks across the network

• Actually a shortcut to the Computer Management MMC snap-in


MANAGING COMPUTER OBJECTS FROM THE COMMAND LINE

Dsmod• Used to modify existing computer account

objectsDsrm• Used to remove computer account objects

from Active Directory


MANAGING COMPUTER OBJECT PROPERTIES WITH DSMOD.EXE

• Can be used to modify properties of existing computer account objects

• Useful for creating scripts and batch files to automate changes

• Cannot be used to create or delete computer account objects

Example: DSMod computer CN=MyComp,CN=Computers,DC=Contoso,DC=com –reset


DELETING COMPUTER OBJECT PROPERTIES WITH DSRM.EXE

• Can be used to delete computer account objects from the command line

• Requires confirmation of deletion unless the -noprompt switch is used

Example:

DSrm CN=MyComp,CN=Computers,DC=Contoso,DC=com


TROUBLESHOOTING COMPUTER ACCOUNTS: PROBLEMS

• Messages at logon indicate that a domain controller cannot be contacted, that the computer account might be missing, or that the trust between the computer and the domain has been lost.

• Error messages or entries in an event log indicate similar problems or suggest that passwords, trusts, secure channels, or relationships with the domain or a domain controller have failed.

• A computer account is missing in Active Directory.


TROUBLESHOOTING COMPUTER ACCOUNTS: SOLUTIONS

• Reset the computer account in Active Directory.

• If the computer account is missing, create a computer account.

• If the computer still belongs to the domain, you must remove it from the domain by changing its membership to a workgroup.

• Rejoin the computer to the domain.


SUMMARY

• A computer object represents a specific system on the network.

• To add a computer to a domain, you must create a computer object for it in Active Directory and then join the physical computer to the object.

• To create computer objects, you can use the Active Directory Users and Computers console, the Dsadd utility, or the Netdom utility.


SUMMARY (continued)

• Computer objects for non–domain controllers are placed in the Computers container by default.

• Computer object have a SID that Active Directory uses to reference the computer in its group memberships and other permissions.

• The typical steps for troubleshooting a computer object problem include creating or resetting the object, removing the computer from the domain, and rejoining it to the domain.

Documents

WORKING WITH COMPUTER ACCOUNTS