programming4us
 
Technology
 

Active Directory 2008 : Configuring Computer Accounts - Supporting Computer Objects and Accounts

8/17/2013 11:02:03 AM

Configuring Computer Properties

When you create a computer object using Active Directory Users And Computers, you are prompted to configure only the most fundamental attributes, including the computer name and the delegation to join the computer to the domain. Computers have several properties that are not visible when you are creating the computer object; you should configure these properties as part of the process of staging the computer account.

Open a computer object’s Properties dialog box to set its location and description, configure its group memberships and dial-in permissions, and link it to the user object of the user to whom the computer is assigned. The Operating System tab is read-only. The information is blank until a computer joins the domain using that account, at which time the client publishes the information to its account.

Several object classes in Active Directory support the managedBy attribute that is shown on the Managed By tab. This linked attribute creates a cross-reference to a user object. All other propertie—the addresses and telephone number—are displayed directly from the user object. They are not stored as part of the computer object itself. Some organizations use the Managed By tab to link the computer to the primary user of the computer. Alternately, you might choose to link the computer to a group that is responsible for the support of a computer—an option that might be attractive for computer accounts that represent servers, for example.

On the Member Of tab of a computer’s Properties dialog box, you can add the computer to groups. The ability to manage computers in groups is an important and often underutilized feature of Active Directory. A group to which computers belong can be used to assign resource access permissions to the computer, to filter the application of a GPO, or as a collection for a software management tool, such as Microsoft System Center Configuration Manager 2007.

As with users and groups, you can select more than one computer object and subsequently manage or modify properties of all selected computers simultaneously.

Configuring Computer Attributes with DSMod and Windows PowerShell

The DSMod command, is able to modify only the description and the location attributes. It uses the following syntax:

dsmod computer "DN of Computer" [-desc Description] [-loc Location]

In Windows PowerShell, you can use the Set-ADComputer cmdlet to configure computer object attributes.

Moving a Computer

Many organizations have multiple OUs for computer objects. Some domains, for example, have computer OUs based on geographic sites. If you have more than one OU for computers, it is likely that someday you will need to move a computer between OUs.

To move a computer using the Active Directory Users And Computers snap-in:

  • Drag and drop or

  • Right-click the computer, and then click Move.

You must have appropriate permissions to move an object in Active Directory. Default permissions allow Account Operators to move computer objects between containers, including the Computers container and any OUs except into or out of the Domain Controllers OU. Administrators, which include Domain Admins and Enterprise Admins, can move computer objects between any containers, including the Computers container, the Domain Controllers OU, and any other OUs. There is no way to delegate the specific task of moving an object in Active Directory. Instead, your ability to move a computer is derived from your ability to delete an object in the source container and create an object in the destination container. When you move the object, you are not actually deleting and re-creating it; those are just the permissions that are evaluated to allow you to perform a move.

The DSMove command allows you to move a computer object or any other object. The syntax of DSMove is:

dsmove ObjectDN [-newname NewName] [-newparent ParentDN]

The -newname parameter lets you rename an object. The -newparent parameter lets you move an object. To move a computer named DESKTOP153 from the Computers container to the Clients OU, you would type the following:

dsmove "CN=DESKTOP153,CN=Computers,DC=contoso,DC=com" -newparent
  "OU=Clients,DC=contoso,DC=com"

In Windows PowerShell, you can use the Move-ADObject or Move-Item cmdlets to move a user to another OU.

Before you move a computer, consider the implications to delegation and configuration. The target OU might have different permissions than the originating OU, in which case the object inherits new permissions affecting who is able to manage the object further. The target OU might also be within the scope of different GPOs, which would change the configuration of settings on the system itself.

Managing a Computer from the Active Directory Users And Computers Snap-In

One of the beneficial but lesser-used features of the Active Directory Users And Computers snap-in is the Manage command. Select a computer in the Active Directory Users And Computers snap-in, right-click it, and choose Manage. The Computer Management console opens, focused on the selected computer, giving you instant access to the computer’s event logs, local users and groups, shared folder configuration, and other management extensions. The tool launches with the credentials used to run the Active Directory Users And Computers snap-in, so you must be running the Active Directory Users And Computers snap-in as a member of the remote computer’s Administrators group to gain the maximum functionality from the Computer Management console.

Understanding the Computer’s Logon and Secure Channel

Every member computer in an Active Directory domain maintains a computer account with a user name (sAMAccountName) and password, just like a user account does. The computer stores its password in the form of a local security authority (LSA) secret and changes its password with the domain every 30 days or so. The NetLogon service uses the credentials to log on to the domain, which establishes the secure channel with a domain controller.

Recognizing Computer Account Problems

Computer accounts and the secure relationships between computers and their domain are robust. However, certain scenarios might arise in which a computer is no longer able to authenticate with the domain. Examples of such scenarios include the following:

  • After reinstalling the operating system on a workstation, the workstation cannot authenticate even though the technician used the same computer name. Because the new installation generated a new SID the new computer does not belong to the domain, and because the new computer does not know the computer account password in the domain, it cannot authenticate to the domain.

  • A computer is completely restored from backup and cannot authenticate. It is likely that the computer changed its password with the domain after the backup operation. Computers change their passwords every 30 days, and Active Directory remembers the current and previous passwords. If the restore operation restored the computer with a significantly outdated password, the computer will not be able to authenticate.

  • A computer’s LSA secret gets out of sync with the password known by the domain. You can think of this as the computer forgetting its password, although it did not forget its password; it just disagrees with the domain over what the password is. When this happens, the computer cannot authenticate and the secure channel cannot be created.

The most common signs of computer account problems are:

  • Messages at logon indicate that a domain controller cannot be contacted, that the computer account might be missing, that the password on the computer account is incorrect, or that the trust relationship (another way of saying “the secure relationship”) between the computer and the domain has been lost. An example of an error indicating a lost trust relationship is shown in Figure 1.

    An error message indicating a failed secure channel

    Figure 5-6. An error message indicating a failed secure channel

  • Error messages or events in the event log indicate similar problems or suggest that passwords, trusts, secure channels, or relationships with the domain or a domain controller have failed. One such error is NETLOGON Event ID 3210: Failed To Authenticate, which appears in the computer’s event log.

  • A computer account is missing in Active Directory.

Resetting a Computer Account

When the secure channel fails, you must reset it. Many administrators do so by removing the computer from the domain, putting it in a workgroup, and then rejoining the domain. This is not a good practice because it has the potential to delete the computer account altogether, which loses the computer’s SID and, more importantly, its group memberships. When you rejoin the domain, even though the computer has the same name, the account has a new SID, and all the group memberships of the previous computer object must be re-created.

Note

DO NOT REMOVE A COMPUTER FROM THE DOMAIN AND REJOIN IT

If the trust with the domain is lost, do not remove a computer from the domain and rejoin it. Instead, reset the secure channel.

To reset the secure channel between a domain member and the domain, use the Active Directory Users And Computers snap-in, Dsmod.exe, Netdom.exe, or Nltest.exe. If you reset the account, the computer’s SID remains the same and it maintains its group memberships.

To reset the secure channel using the Active Directory Users And Computers snap-in:

  1. Right-click a computer, and then click Reset Account.

  2. Click Yes to confirm your choice.

  3. Re-join the computer to the domain, and then restart the computer.

To reset the secure channel using DSMod:

  1. Type the following command:

    dsmod computer "Computer DN" -reset.

  2. Re-join the computer to the domain, and then restart the computer.

    To reset the secure channel using NetDom, type the following command:

netdom reset MachineName /domain DomainName /UserO UserName /PasswordO {Password | *}

where the account with the credentials provided as UserName and Password is a member of the local Administrators group of the computer.

This command resets the secure channel by attempting to reset the password on both the computer and the domain, so it does not require rejoining or restarting.

To reset the secure channel using NLTest, on the computer that has lost its trust type the command:

nltest /Server:ServerName /SC_Reset:DOMAIN\DomainController

For example:

nltest /server:SERVER02 /sc_reset:CONTOSO\SERVER01

This command, like NetDom, attempts to reset the secure channel by resetting the password on both the computer and in the domain, so it does not require rejoining or rebooting.

Because NLTest and NetDom reset the secure channel without requiring a reboot, you should try those commands first. Only if those are not successful should you use the Reset Account command or DSMod to reset the computer account.

Renaming a Computer

When you rename a computer, you must be careful to do it correctly. Remember that the computer uses its name to authenticate with the domain, so if you rename only the domain object, or only the computer itself, they will be out of sync. You must rename the computer in such a way that both the computer and the domain object are changed.

You can rename a computer correctly by logging on to the computer itself, either locally or with a remote desktop session.

  1. Open System Properties from Control Panel.

  2. In the Computer Name, Domain, And Workgroup Settings section, click Change Settings.

  3. If you are prompted by User Account Control, click Continue.

  4. On the Computer Name tab, click Change.

  5. Type the new name and click OK twice to close the dialog boxes.

  6. Restart the computer to allow the change to take effect.

In Command Prompt, you can use the NetDom command with the following syntax:

netdom renamecomputer MachineName /NewName:NewName
    [/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ]
    [/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ]
    [/SecurePasswordPrompt] [/REBoot[:TimeInSeconds]]

In addition to specifying the computer to rename (MachineName) and the desired new name (NewName), you must have credentials that are a member of the local Administrators group on the computer and credentials that have permission to rename the domain computer object. By default, Netdom.exe uses the credentials with which the command is executed. You can specify credentials, using UserO and PasswordO for the credentials in the computer’s local Administrators group, and UserD and PasswordD for the domain credentials with permission to rename the computer object. Specifying * for the password causes Netdom.exe to prompt for the password on the command line. The SecurePasswordPrompt parameter displays a popup for credentials when * is specified for either PasswordO or PasswordD. After you rename a computer, you must restart it. The REBoot parameter causes the system to reboot after 30 seconds unless otherwise specified by TimeInSeconds.

When you rename a computer, you can adversely affect services running on it. For example, Active Directory Certificate Services (AD CS) relies on the server’s name. Be certain to consider the impact of renaming a computer before doing so. Do not use these methods to rename a domain controller.

Disabling and Enabling Computer Accounts

If a computer is taken offline or is not to be used for an extended period of time, you should consider disabling the account. This recommendation reflects the security principle that an identity store should allow authentication only of the minimum number of accounts required to achieve the goals of an organization. Disabling the account does not modify the computer’s SID or group membership, so when the computer is brought back online, the account can be enabled.

To disable a computer in the Active Directory Users And Computers snap-in, right-click the computer, and then click Disable Account. A disabled account appears with a down-arrow icon in the Active Directory Users And Computers snap-in, as shown in Figure 2.

A disabled computer account

Figure 2. A disabled computer account

While an account is disabled, the computer cannot create a secure channel with the domain. The result is that users who have not previously logged on to the computer, and who, therefore, do not have cached credentials on the computer, will be unable to log on until the secure channel is reestablished by enabling the account.

To enable a computer account, right-click the computer, and then click Enable Account.

To disable or enable a computer in Command Prompt, use the DSMod command. The syntax used to disable or enable computers is:

dsmod computer ComputerDN -disabled yes
dsmod computer ComputerDN -disabled no

Deleting Computer Accounts

You have learned that each computer account, like each user account, maintains a unique SID, which allows an administrator to grant permissions to computers. Also like user accounts, computers can belong to groups. Therefore, like user accounts, it is important to understand the effect of deleting a computer account. When a computer account is deleted, its group memberships and SID are lost. If the deletion is accidental, and another computer account is created with the same name, it is nonetheless a new account with a new SID. Group memberships must be reestablished, and any permissions assigned to the deleted computer must be reassigned to the new account. Delete computer objects only when you are certain that you no longer require those security-related attributes of the object.

To delete a computer account using Active Directory Users And Computers:

  1. Right-click the computer object, and then click Delete.

    You are prompted to confirm the deletion and, because deletion is not reversible, the default response to the prompt is No.

  2. Click Yes to delete the object.

The DSRm command,  deletes a computer object in Command Prompt. To delete a computer with DSRm, type:

dsrm ObjectDN

where ObjectDN is the distinguished name of the computer, such as “CN=Desktop153, OU=Clients,DC=contoso,DC=com.” Again, you will be prompted to confirm the deletion.

Recycling Computer Accounts

If a computer account’s group memberships and SID, and the permissions assigned to that SID, are important to the operations of a domain, you do not want to delete that account. So what would you do if a computer was replaced with a new system with upgraded hardware? This is another scenario in which you would reset a computer account.

Resetting a computer account resets its password but maintains all of the computer object’s properties. With a reset password, the account becomes, in effect, available for use. Any computer can then join the domain using that account, including the upgraded system. In effect, you’ve recycled the computer account, assigning it to a new piece of hardware. You can even rename the account. The SID and group memberships remain the same.

As you learned earlier in this lesson, the Reset Account command is available in the context menu when you right-click a computer object. The DSMod command can also be used to reset a computer account. For example, type:

dsmod computer "ComputerDN" -reset.

Practice Supporting Computer Objects and Accounts

Practice Supporting Computer Objects and Accounts

To perform the exercises in this practice, you must have the following objects in the contoso.com domain.

  • A first-level OU named Clients.

  • Two computer objects, DESKTOP154 and DESKTOP155, in the Clients OU.

  • An OU named Desktops and an OU named Laptops in the Clients OU.

  • A first-level OU named User Accounts.

  • User accounts in the User Accounts OU for Linda Mitchell and Scott Mitchell. Populate sample contact information for the accounts: address, telephone, and e-mail.

  • A first-level OU named Groups.

  • A global security group in the Groups OU named Sales Desktops.

EXERCISE 1 Manage Computer Objects

In this exercise, you perform several common administrative tasks related to computers as you support the computers assigned to Linda Mitchell and Scott Mitchell, two salespeople at Contoso, Ltd.

  1. Log on to SERVER01 as Administrator.

  2. Open the Active Directory Users And Computers snap-in.

  3. Select the Clients OU.

  4. In the details pane, right-click DESKTOP154 and choose Properties.

  5. On the Managed By tab, click Change.

  6. Type the user name for Scott Mitchell and click OK.

    The Managed By tab reflects the contact information you populated in Scott Mitchell’s user object.

  7. Click Properties.

    The Properties button on the Managed By tab takes you to the object referred to by the managedBy attribute.

  8. Click OK to close each dialog box.

  9. Repeat steps 4–8 to associate DESKTOP155 with Linda Mitchell.

  10. In the console details pane of the Clients OU, select both DESKTOP154 and DESKTOP155.

  11. Drag both objects into the Desktops OU. Click Yes to confirm your action.

  12. In the console tree, select the Desktops OU.

  13. In the details pane, select both DESKTOP154 and DESKTOP155.

  14. Right-click one of the two selected computers and choose Properties.

    The Properties For Multiple Items dialog box appears.

  15. Select the Change The Description Text For All Selected Objects check box and type Sales Desktop. Click OK.

  16. With both computers selected, right-click one of the selected computers and choose Add To A Group.

  17. Type Sales Desktops and click OK.

    A success message appears. Click OK.

  18. In the console tree, select the Domain Controllers OU.

  19. In the details pane, right-click SERVER01 and choose Manage.

    The Computer Management console appears.

  20. Close the Computer Management console.

EXERCISE 2 Troubleshoot Computer Accounts

In this exercise, you simulate resetting the secure channel on a domain member. If you have a second computer joined to the contoso.com domain, you can use its name in step 4 of this exercise to actually perform a secure channel reset.

  1. Open Command Prompt.

  2. The NLTest command can test the secure channel and perform several useful domain-related tests. Type nltest /? and review the options supported by Nltest.exe.

  3. The NetDom command performs several tasks related to computers and the domain. Type netdom /? and review the options supported by Netdom.exe.

  4. Simulate resetting a computer’s secure channel by typing netdom reset desktop154. You will receive an error, The RPC Server Is Not Available, because the system is not online.
 
Others
 
- Active Directory 2008 : Automating the Creation of Computer Objects
- Administration of Microsoft Lync Server 2010 : Troubleshooting (part 2) - Lync Server Logging Tool
- Administration of Microsoft Lync Server 2010 : Troubleshooting (part 1)
- Administration of Microsoft Lync Server 2010 : Configuring Quality of Service
- Administration of Microsoft Lync Server 2010 : Management Tasks
- Windows 8 : Maintaining Data Access and Availability - Managing Offline Files (part 3) - Configuring Disk Usage Limits for Offline Files
- Windows 8 : Maintaining Data Access and Availability - Managing Offline Files (part 2) - Managing Offline File Synchronization
- Windows 8 : Maintaining Data Access and Availability - Managing Offline Files (part 1) - Making Files or Folders Available Offline
- Windows 8 : Maintaining Data Access and Availability - Configuring File Explorer Options
- Sharepoint 2013 : Rename a List or Document Library or Change Its Description, Change the Versioning Settings for a List or Document Library
 
Video tutorials
- How To Install Windows 8 On VMware Workstation 9

- How To Install Windows 8

- How To Install Windows Server 2012

- How To Disable Windows 8 Metro UI

- How To Change Account Picture In Windows 8

- How To Unlock Administrator Account in Windows 8

- How To Restart, Log Off And Shutdown Windows 8

- How To Login To Skype Using A Microsoft Account

- How To Enable Aero Glass Effect In Windows 8

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen
programming4us programming4us
 
REVIEW
 
- First look: Apple Watch

- 10 Amazing Tools You Should Be Using with Dropbox

- Sigma 24mm f/1.4 DG HSM Art

- Canon EF11-24mm f/4L USM

- Creative Sound Blaster Roar 2

- Alienware 17 - Dell's Alienware laptops

- Smartwatch : Wellograph

- Xiaomi Redmi 2
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
 
Top 10
 
- How To Unlock An Account From Active Directory (Windows Server 2008)
- How To Install A deviantArt Theme In Windows 7
- How To Install Windows Server 2012 On VirtualBox
- How To Fix Skype High CPU And Memory Usage In Windows 8
- Add 270 Additional Cleaning Options To CCleaner With CCEnhancer
- FPPT Provides More Than 2000 Free And Attractive PowerPoint Templates
- Setup Free Media Server To Stream Videos To DLNA Compatible TV, Xbox 360 & PS3 (Play Station 3)
- How To Install Android Market & Google Apps On Kindle Fire
- How To Make Ubuntu Look Like Windows 7
- How To Add A New Account in MS Outlook 2013