1 / 30

WORKING WITH COMPUTER ACCOUNTS

Chapter 8. WORKING WITH COMPUTER ACCOUNTS. CHAPTER OVERVIEW. Describe the process of adding a computer to an Active Directory domain Create and manage computer objects Troubleshoot computer accounts. UNDERSTANDING COMPUTER OBJECTS.

walda
Download Presentation

WORKING WITH COMPUTER ACCOUNTS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 8 WORKING WITH COMPUTER ACCOUNTS

  2. Chapter 8: WORKING WITH COMPUTER ACCOUNTS CHAPTER OVERVIEW • Describe the process of adding a computer to an Active Directory domain • Create and manage computer objects • Troubleshoot computer accounts

  3. Chapter 8: WORKING WITH COMPUTER ACCOUNTS UNDERSTANDING COMPUTER OBJECTS • Logical representation in Active Directory of the physical computer object • A mean to track computers belonging to the domain • User cannot log on to the domain from a computer without a computer account in Active Directory • Can be granted permissions to other objects • Inherit group policy settings from domains, sites, and OUs • Can be made a member of a security and distribution group and inherit group permissions

  4. Chapter 8: WORKING WITH COMPUTER ACCOUNTS CREATING COMPUTER OBJECTS • Computer object must exist in Active Directory before computer can be joined to the domain. • Computer object can be created using Active Directory Users and Computers or a command-line tool such as Dsadd. • Computer account can also be created during the domain joining process. • Computer account SID is stored in Active Directory computer account object • Prevent a rogue computer from accessing the network

  5. Chapter 8: WORKING WITH COMPUTER ACCOUNTS COMPUTER ACCOUNT AUTHENTICATION • Computer authenticate before user account is authenticated • Client computer and Domain Controller mutual authentication • Authenticate using computer account and password • Account name • Up to 63 characters • Pre-Windows 2000 the first 15 characters • Password is generated automatically and kept hidden • Account name up to 63 characters • Pre-Windows 2000 the first 15 characters

  6. Chapter 8: WORKING WITH COMPUTER ACCOUNTS CREATING COMPUTER OBJECTS USING ACTIVE DIRECTORY USERS AND COMPUTERS • Permission Requirements: • Administrators • Account Operators • Delegated control

  7. Chapter 8: WORKING WITH COMPUTER ACCOUNTS CREATING COMPUTER OBJECTS USING DSADD.EXE • Allows computer account creation to be scripted • Provides a mechanism to create large amounts of computer accounts at one time • Example: • DSAdd computer “CN=MyComputer,CN=Computers,DC=MyCompany,DC=Com”

  8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS CREATING COMPUTER OBJECTS USING NETDOM.EXE • Command-line utility • Simpler to use than Dsadd • Must be extracted from the support.cab archive in the \Support\Tools folder on the Windows Server 2003 installation CD or install by running suptools.msi Example: Netdom add MyComputer /Domain:Contoso.com /UserD:Admin /PasswordD:Secret /OU:Organization

  9. Chapter 8: WORKING WITH COMPUTER ACCOUNTS JOINING COMPUTERS TO A DOMAIN

  10. Chapter 8: WORKING WITH COMPUTER ACCOUNTS JOINING A DOMAIN USING NETDOM.EXE • Allows computers to be joined to the domain from a command line • Allows scripts to be developed to streamline the process of joining a computer to a domain • Netdom join …..

  11. Chapter 8: WORKING WITH COMPUTER ACCOUNTS CREATING COMPUTER OBJECTS WHILE JOINING THE DOMAIN

  12. Chapter 8: WORKING WITH COMPUTER ACCOUNTS JOINING A DOMAIN DURING OPERATING SYSTEM INSTALLATION

  13. Chapter 8: WORKING WITH COMPUTER ACCOUNTS LOCATING COMPUTER OBJECTS • The Computers container • The Domain Controllers OU

  14. Chapter 8: WORKING WITH COMPUTER ACCOUNTS LOCATING DC COMPUTER OBJECTS • Computer accounts for domain controllers are placed in the system-created domain controllers OU by default. • The Default Domain Controllers Policy GPO is applied to the container.

  15. Chapter 8: WORKING WITH COMPUTER ACCOUNTS LOCATING OTHER COMPUTER OBJECTS • Non–domain-controller computer accounts are placed in the Computers system-created container by default. • Computer container does not support group policy

  16. Chapter 8: WORKING WITH COMPUTER ACCOUNTS REDIRECTING COMPUTER OBJECTS • Allows an alternative default location for computer accounts to be specified. • Use the Redircmp.exe command-line utility. • Works only on Windows Server 2003 domain functional level. • Automatically redirects all computer accounts • Can be overridden by explicit computer account creation commands. Example: Redircmp ou=Workstations,DC=contoso,DC=com

  17. Chapter 8: WORKING WITH COMPUTER ACCOUNTS MANAGING COMPUTER OBJECTS • Computer objects have properties. • Can be viewed and configured through Active Directory Users and Computers

  18. Chapter 8: WORKING WITH COMPUTER ACCOUNTS MODIFYING COMPUTER OBJECT PROPERTIES

  19. Chapter 8: WORKING WITH COMPUTER ACCOUNTS DELETING, DISABLING, AND RESETTING COMPUTER OBJECTS Deleting • Removes the computer account from Active Directory Disabling • Prevents the computer from being used to log on to the domain Resetting • Reestablishes relationship between a computer and Active Directory

  20. Chapter 8: WORKING WITH COMPUTER ACCOUNTS DELETING COMPUTER OBJECTS • Manually through Active Directory Users and Computers • Automatically by changing the domain membership on the computer • Using a command-line tool such as Dsrm

  21. Chapter 8: WORKING WITH COMPUTER ACCOUNTS DISABLING COMPUTER OBJECTS

  22. Chapter 8: WORKING WITH COMPUTER ACCOUNTS RESETTING A COMPUTER OBJECT • Necessary when replacing or upgrading a computer system • Allows an appropriately named new system to use an existing computer account • Allows computer account password on the computer to be synchronized with computer account password stored on the domain controller

  23. Chapter 8: WORKING WITH COMPUTER ACCOUNTS MANAGING REMOTE COMPUTERS • Allows you to perform management tasks across the network • Actually a shortcut to the Computer Management MMC snap-in

  24. Chapter 8: WORKING WITH COMPUTER ACCOUNTS MANAGING COMPUTER OBJECTS FROM THE COMMAND LINE Dsmod • Used to modify existing computer account objects Dsrm • Used to remove computer account objects from Active Directory

  25. Chapter 8: WORKING WITH COMPUTER ACCOUNTS MANAGING COMPUTER OBJECT PROPERTIES WITH DSMOD.EXE • Can be used to modify properties of existing computer account objects • Useful for creating scripts and batch files to automate changes • Cannot be used to create or delete computer account objects Example: DSMod computer CN=MyComp,CN=Computers,DC=Contoso,DC=com –reset

  26. Chapter 8: WORKING WITH COMPUTER ACCOUNTS DELETING COMPUTER OBJECT PROPERTIES WITH DSRM.EXE • Can be used to delete computer account objects from the command line • Requires confirmation of deletion unless the -noprompt switch is used Example: DSrm CN=MyComp,CN=Computers,DC=Contoso,DC=com

  27. Chapter 8: WORKING WITH COMPUTER ACCOUNTS TROUBLESHOOTING COMPUTER ACCOUNTS: PROBLEMS • Messages at logon indicate that a domain controller cannot be contacted, that the computer account might be missing, or that the trust between the computer and the domain has been lost. • Error messages or entries in an event log indicate similar problems or suggest that passwords, trusts, secure channels, or relationships with the domain or a domain controller have failed. • A computer account is missing in Active Directory.

  28. Chapter 8: WORKING WITH COMPUTER ACCOUNTS TROUBLESHOOTING COMPUTER ACCOUNTS: SOLUTIONS • Reset the computer account in Active Directory. • If the computer account is missing, create a computer account. • If the computer still belongs to the domain, you must remove it from the domain by changing its membership to a workgroup. • Rejoin the computer to the domain.

  29. Chapter 8: WORKING WITH COMPUTER ACCOUNTS SUMMARY • A computer object represents a specific system on the network. • To add a computer to a domain, you must create a computer object for it in Active Directory and then join the physical computer to the object. • To create computer objects, you can use the Active Directory Users and Computers console, the Dsadd utility, or the Netdom utility.

  30. Chapter 8: WORKING WITH COMPUTER ACCOUNTS SUMMARY (continued) • Computer objects for non–domain controllers are placed in the Computers container by default. • Computer object have a SID that Active Directory uses to reference the computer in its group memberships and other permissions. • The typical steps for troubleshooting a computer object problem include creating or resetting the object, removing the computer from the domain, and rejoining it to the domain.

More Related