WORKING WITH COMPUTER ACCOUNTS

(1)

WORKING WITH

COMPUTER ACCOUNTS

Chapter 8

Chapter 8: WORKING WITH COMPUTER ACCOUNTS 2

CHAPTER OVERVIEW

• Describe the process of adding a computer to an Active Directory domain

• Create and manage computer objects • Troubleshoot computer accounts

UNDERSTANDING COMPUTER OBJECTS

• Logical representation in Active Directory of the physical computer object

• A mean to track computers belonging to the domain • User cannot log on to the domain from a computer

(2)

CREATING COMPUTER OBJECTS

• Computer object must exist in Active Directory before computer can be joined to the domain. • Computer object can be created using Active

Directory Users and Computers or a command-line tool such as Dsadd.

• Computer account can also be created during the domain joining process.

• Computer account SID is stored in Active Directory computer account object

• Prevent a rogue computer from accessing the network

COMPUTER ACCOUNT AUTHENTICATION • Computer authenticate before user account is

authenticated

• Client computer and Domain Controller mutual authentication

• Authenticate using computer account and password

• Account name

• Up to 63 characters

• Pre-Windows 2000 the first 15 characters

• Password is generated automatically and kept hidden • Account name up to 63 characters

• Pre-Windows 2000 the first 15 characters

CREATING COMPUTER OBJECTS USING ACTIVE DIRECTORY USERS AND COMPUTERS

(3)

CREATING COMPUTER OBJECTS USING DSADD.EXE • Allows computer account creation to be scripted • Provides a mechanism to create large amounts of

computer accounts at one time

Example: DSAdd computer

“CN=MyComputer,CN=Computers,DC=MyCompany,DC=Com”

CREATING COMPUTER OBJECTS USING NETDOM.EXE • Command-line utility

• Simpler to use than Dsadd

• Must be extracted from the support.cab archive in the \Support\Tools folder on the Windows Server 2003 installation CD or install by running suptools.msi

Example:

Netdom add MyComputer /Domain:Contoso.com /UserD:Admin /PasswordD:Secret /OU:Organization

(4)

JOINING A DOMAIN USING NETDOM.EXE

• Allows computers to be joined to the domain from a command line

• Allows scripts to be developed to streamline the process of joining a computer to a domain • Netdom join …..

CREATING COMPUTER OBJECTS WHILE JOINING THE DOMAIN

JOINING A DOMAIN DURING OPERATING SYSTEM INSTALLATION

(5)

LOCATING COMPUTER OBJECTS • The Computers container • The Domain Controllers OU

LOCATING DC COMPUTER OBJECTS

• Computer accounts for domain controllers are placed in the system-created domain controllers OU by default.

• The Default Domain Controllers Policy GPO is applied to the container.

LOCATING OTHER COMPUTER OBJECTS

• Non–domain-controller computer accounts are placed in the Computers system-created container by default.

(6)

REDIRECTING COMPUTER OBJECTS

• Allows an alternative default location for computer accounts to be specified.

• Use the Redircmp.exe command-line utility. • Works only on Windows Server 2003 domain

functional level.

• Automatically redirects all computer accounts • Can be overridden by explicit computer account

creation commands.

Example: Redircmp ou=Workstations,DC=contoso,DC=com

MANAGING COMPUTER OBJECTS • Computer objects have properties.

• Can be viewed and configured through Active Directory Users and Computers

(7)

DELETING, DISABLING, AND RESETTING COMPUTER OBJECTS

Deleting

• Removes the computer account from Active Directory

Disabling

• Prevents the computer from being used to log on to the domain

Resetting

• Reestablishes relationship between a computer and Active Directory

DELETING COMPUTER OBJECTS

• Manually through Active Directory Users and Computers

• Automatically by changing the domain membership on the computer

• Using a command-line tool such as Dsrm

(8)

RESETTING A COMPUTER OBJECT

• Necessary when replacing or upgrading a computer system

• Allows an appropriately named new system to use an existing computer account

• Allows computer account password on the computer to be synchronized with computer account password stored on the domain controller

MANAGING REMOTE COMPUTERS

• Allows you to perform management tasks across the network

• Actually a shortcut to the Computer Management MMC snap-in

MANAGING COMPUTER OBJECTS FROM THE COMMAND LINE

(9)

MANAGING COMPUTER OBJECT PROPERTIES WITH DSMOD.EXE

• Can be used to modify properties of existing computer account objects

• Useful for creating scripts and batch files to automate changes

• Cannot be used to create or delete computer account objects

Example:

DSMod computer CN=MyComp,CN=Computers,DC=Contoso,DC=com –reset

DELETING COMPUTER OBJECT PROPERTIES WITH DSRM.EXE

• Can be used to delete computer account objects from the command line

• Requires confirmation of deletion unless the -noprompt switch is used

Example:

DSrm CN=MyComp,CN=Computers,DC=Contoso,DC=com

TROUBLESHOOTING COMPUTER ACCOUNTS: PROBLEMS

• Messages at logon indicate that a domain controller cannot be contacted, that the computer account might be missing, or that the trust between the computer and the domain has been lost. • Error messages or entries in an event log indicate

(10)

TROUBLESHOOTING COMPUTER ACCOUNTS: SOLUTIONS

• Reset the computer account in Active Directory. • If the computer account is missing, create a

computer account.

• If the computer still belongs to the domain, you must remove it from the domain by changing its membership to a workgroup.

• Rejoin the computer to the domain.

SUMMARY

• A computer object represents a specific system on the network.

• To add a computer to a domain, you must create a computer object for it in Active Directory and then join the physical computer to the object.

• To create computer objects, you can use the Active Directory Users and Computers console, the Dsadd utility, or the Netdom utility.