IT tutorials
 
Windows
 

Windows Server 2003 : Computer Accounts - Managing Computer Accounts & Troubleshooting Computer Accounts

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
2/21/2012 5:43:43 PM

1. Managing Computer Accounts

Managing Computer Object Permissions

Fortunately, Active Directory allows you to control, with great specificity, the groups or users that can join a computer to a domain computer account. Although the default is Domain Admins, you can allow any group (for example, a group called “Installers”) to join a machine to an account. This is most easily achieved while creating the computer object.

When you create a computer object, the first page of the New Object–Computer dialog box  indicates The Following User Or Group Can Join This Computer To A Domain. Click Change and you can select any user or group. This change modifies a number of permissions on the computer object in Active Directory.

The following page of the New Object–Computer dialog box prompts you for the globally unique identifier (GUID) of the computer, which is necessary if you install a system using Remote Installation Services (RIS). For more information on RIS, see the Microsoft online Knowledge Base, http://support.microsoft.com/.

If the computer that is using the account that you are creating is running a version of Windows earlier than 2000, select the Assign This Computer Account As A Pre–Windows 2000 Computer check box. If the account is for a Windows NT backup domain controller, click Assign This Computer Account As A Backup Domain Controller.

Tip

Remember, only computers based on Windows NT technologies can belong to a domain, so Windows 95, Windows 98, and Windows Millennium Edition (Windows Me) cannot join or maintain computer accounts. Therefore, this check box really means Windows NT 4.


Configuring Computer Properties

Computer objects have several properties that are not visible when creating a computer account in the user interface. Open a computer object’s Properties dialog box to set its location and description, configure its group memberships and dial-in permissions, and link it to a user object of the computer’s manager. The Operating System properties page is read-only. The information is published automatically to Active Directory, and will be blank until a computer has joined the domain using that account.

Several object classes in Active Directory support the Manager property that is shown on the Managed By property page of a computer. This linked property creates a cross-reference to a user object. All other properties—the addresses and telephone numbers—are displayed directly from the user object. They are not stored as part of the computer object itself.

The DSMOD command, can also modify several of the properties of a computer object. You will see the DSMOD command in action in the following section regarding troubleshooting computer accounts.

Finding and Connecting to Objects in Active Directory

When a user calls you with a particular problem, you might want to know what operating system and service pack is installed on that user’s system. You learned that this information is stored as properties of the computer object. The only challenge, then, is to locate the computer object, which may be more difficult in a complex Active Directory with one or more domains and multiple OUs.

The Active Directory Users and Computers snap-in provides easy access to a powerful, graphical search tool. This tool can be used to find a variety of object types. In this context, however, your search entails an object of the type Computer. Click the Find Objects In Active Directory button on the console toolbar. The resulting Find Computers dialog box is illustrated in Figure 1. You can select the type of object (Find), the scope of the search (In), and specify search criteria before clicking Find Now.

Figure 1. The Find Computers dialog box, as it appears after a successful search

The list of results allows you to select an object and, from the File menu or the shortcut menu, perform common tasks on the selected object. Many administrators appreciate learning that you can use the Manage command to open the Computer Management console and connect directly to that computer, allowing you to examine its event logs, device manager, system information, disk and service configuration, or local user or group accounts.

Practice: Managing Computer Accounts

In this practice, you will search for a computer object and modify its properties.

Exercise 1: Managing Computer Accounts
1.
Open Active Directory Users And Computers.

2.
Select the Security Groups OU and create a global security group called Deployment.

3.
Select the Desktops OU.

4.
Create a computer account for Desktop04. In the first page of the New Object–Computer dialog box, click Change below The Following User Or Group Can Join This Computer To A Domain. Type deployment in the Select User or Group dialog box, and then click OK.

5.
Complete the creation of the Desktop04 computer object.

Exercise 2: Finding Objects in Active Directory
1.
Open Active Directory Users And Computers.

2.
On the toolbar, click the Find Objects in Active Directory icon.

3.
By default, the Find dialog box is ready to search for Users, Contacts, and Groups. Choose Computers from the Find drop-down list, and select Entire Directory from the In drop-down list.

4.
In the Computer Name field, type server and click Find Now.

A result set appears that includes Server01.

Exercise 3: Changing Computer Properties
1.
From the result set returned in Exercise 1, open Server01’s properties dialog box.

2.
Click the Location tab.

3.
Type Headquarters Server Room.

4.
Click the Managed By tab, and then click Change.

5.
Type Hank and then click OK.

6.
Note that the user’s name and contact information appears.

7.
Click the Operating System tab. Note the OS version and service pack level are displayed.


2. Troubleshooting Computer Accounts

Active Directory domains treat computers as security principals. This means that a computer, just like a user, has an account—or, more specifically, properties within the computer object such as a name, a password, and a SID. Like user accounts, computer accounts require maintenance and, occasionally, troubleshooting. This lesson focuses on skills and concepts related to troubleshooting computer objects.

After this lesson, you will be able to
  • Understand the important difference among deleting, disabling, and resetting computer accounts

  • Recognize the symptoms of computer account problems

  • Troubleshoot computer accounts by deleting, disabling, resetting, or rejoining, using both command-line and user-interface tools

Estimated lesson time: 20 minutes

Deleting and Disabling and Resetting Computer Accounts

Computer accounts, like user accounts, maintain a unique SID, which enables an administrator to grant permissions to computers. Also like user accounts, computers can belong to groups. Therefore, like user accounts, it is important to understand the effect of deleting a computer account. When a computer account is deleted, its group memberships and SID are lost. If the deletion is accidental, and another computer account is created with the same name, it is nonetheless a new account, with a new SID. Group memberships must be reestablished, and any permissions assigned to the deleted computer must be reassigned to the new account. Delete computer objects only when you are certain that you no longer require those security-related attributes of the object.

To delete a computer account using Active Directory Users And Computers, locate and select the computer object and, from the Action menu or the shortcut menu, select the Delete command. You will be prompted to confirm the deletion and, because deletion is not reversible, the default response to the prompt is No. Select Yes and the object is deleted.

The DSRM command-line tool allows you to delete a computer object from the command prompt. To delete a computer with DSRM, type:

							DSRM
ObjectDN

Where ObjectDN is the distinguished name of the computer, such as “CN=Desktop15, OU=Desktops,DC=contoso,DC=com.” Again, you will be prompted to confirm the deletion.

Tip

When a computer is disjoined from a domain—when an administrator changes the membership of the computer to a workgroup or to another domain—the computer attempts to delete its computer account in the domain. If it is not possible to do so because of lack of connectivity, networking problems, or credentials and permissions, the account will remain in Active Directory. It may appear, immediately or eventually, as disabled. If that account is no longer necessary, it must be deleted manually.


If a computer is taken offline or is not to be used for an extended period of time, you may disable the account. Such an action reflects the security principle, that an identity store allow authentication only of the minimum number of accounts required to achieve the goals of an organization. Disabling the account does not modify the computer’s SID or group membership, so when the computer is brought back online, the account can be enabled.

The context menu, or Action menu, of a selected computer object exposes the Disable Account command. A disabled account appears with a red “X” icon in the Active Directory Users And Computers snap-in, as shown in Figure 2.

Figure 2. A disabled computer account

While an account is disabled, the computer cannot create a secure channel with the domain. The result is that users who have not previously logged on to the computer, and who therefore do not have cached credentials on the computer, will be unable to log on until the secure channel is reestablished by enabling the account.

To enable a computer account, simply select the computer and choose the Enable Account command from the Action or shortcut menus.

To disable or enable a computer from the command prompt, use the DSMOD command. The DSMOD command modifies Active Directory objects. The syntax used to disable or enable computers is:

DSMOD COMPUTER ComputerDN -DISABLED YES
DSMOD COMPUTER ComputerDN -DISABLED NO

If a computer account’s group memberships and SID, and the permissions assigned to that SID, are important to the operations of a domain, you do not want to delete that account. So what would you do if a computer was replaced with a new system, with upgraded hardware? Such is one scenario in which you would reset a computer account.

Resetting a computer account resets its password, but maintains all of the computer object’s properties. With a reset password, the account becomes in effect “available” for use. Any computer can then join the domain using that account, including the upgraded system.

In fact, the computer that had previously joined the domain with that account can use the reset account by simply rejoining the domain. This reality will be explored in more detail in the troubleshooting lesson.

The Reset Account command is available in the Action and context menus when a computer object is selected. The DSMOD command can also be used to reset a computer account, with the following syntax:

dsmod computer ComputerDN -reset

The NETDOM command, included with the Windows Server 2003 Support Tools in the CD-ROM’s Support\Tools directory, also enables you to reset a computer account.

Recognizing Computer Account Problems

Computer accounts, and the secure relationships between computers and their domain are robust. In the rare circumstance that an account or secure channel breaks down, the symptoms of failure are generally obvious. The most common signs of computer account problems are:

Messages at logon indicate that a domain controller cannot be contacted; that the computer account may be missing; or that the trust (another way of saying “the secure relationship”) between the computer and the domain has been lost. An example is shown in Figure 3.

Figure 3. Logon message from a Windows XP client indicating a possible computer account problem


  • Error messages or events in the event log indicating similar problems or suggesting that passwords, trusts, secure channels, or relationships with the domain or a domain controller have failed.

  • A computer account is missing in Active Directory.

The rules that govern troubleshooting a computer account are:

  1. If the computer account exists in Active Directory, it must be reset.

  2. If the computer account is missing in Active Directory, you must create a computer account.

  3. If the computer still belongs to the domain, it must be removed from the domain by changing its membership to a workgroup. The name of the workgroup is irrelevant. Best practice is to try and choose a workgroup name that you know is not in use.

  4. Rejoin the computer to the domain. Alternatively, join another computer to the domain; but the new computer must have the same name as the computer account.

To troubleshoot any computer account problem, apply all four rules. These rules can be addressed in any order, except that Rule D, involving rejoining the computer to the domain, must as always be performed as the final step. Let’s examine two scenarios.

In the first scenario, a user complains that when he or she attempts to log on, the system presents error messages indicating that the computer account might be missing. Applying Rule A, you open Active Directory Users And Computers and find that the computer account exists. You reset the account. Rule B does not apply—the account does exist. Then, using Rule C, you disjoin the system from the domain and, following Rule D, rejoin the domain.

In a second scenario, if a computer account is reset by accident, the first item that has occurred is Rule A. Although the reset is accidental, you must continue to recover by applying the remaining three rules. Rule B does not apply because the account exists in the domain. Rule C indicates that if the computer is still joined to the domain, it must be removed from the domain. Then, by Rule D, it can rejoin the domain.

With these four rules, you can make an informed decision, on the job or on the certification exams, about how to address any scenario in which a computer account has lost functionality.

Practice: Troubleshooting Computer Accounts

In this practice, you will troubleshoot a realistic scenario. A user in the contoso.com domain contacts you and complains that, when logging on to Desktop03, he or she receives the following error message:

“Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.”

The user waited, attempted to log on, received the same message, waited again, and then received the same message a third time. The user has now spent 20 minutes trying to log on. In obvious frustration, the user contacts you for assistance.

Exercise 1: Troubleshooting Computer Accounts
  1. Identify the most likely cause of the user’s problem:

    1. The user entered an invalid user name.

    2. The user entered an invalid password.

    3. The user chose the incorrect domain from the Log On To list.

    4. The computer has lost its secure channel with the domain.

    5. The computer’s registry is corrupted.

    6. The computer has a policy preventing the user from logging on interactively.

    The correct answer, as you can probably deduce, is d. The computer has lost its secure channel with the domain.

  2. Identify the steps from the list below that you must take to troubleshoot the problem. Put the steps in order. You may not require all steps.

    1. Enable the computer account.

    2. Change Desktop03 to belong to contoso.com.

    3. Determine whether the computer account exists in Active Directory.

    4. Reset or re-create the computer account.

    5. Change Desktop03 to a workgroup.

    6. Delete the computer account.

    7. Disable the computer account.

    The correct answer is steps e, c, d, and b. Step e does not have to occur first; it just has to be done anytime before step b. Steps c and d must occur, in that order, before step b, which must be the last step.

Exercise 2: Recover from Computer Account Problems
1.
Open Active Directory Users And Computers.

2.
Click Find Objects In Active Directory and search for Desktop03.

3.
Desktop03 appears in the search results .

4.
Having identified that the account does exist, reset the account by right-clicking Desktop03 and choosing Reset Account.

 
Others
 
- Windows Server 2003 : Computer Accounts - Joining a Computer to a Domain
- Windows Vista : Creating Basic Windows Images - Creating Unattended Answer Files
- Windows Vista : Creating Basic Windows Images - Building a Deployment Server
- Windows 7 : Installing a Local Printer
- Windows 7 : Installing and Configuring a Printer
- Windows Server 2008 R2 : Understand Active Directory Replication
- Windows Server 2008 R2 : Automate User and Group Management
- Windows XP : Applications and the Registry - Shared DLLs
- Windows XP : Practicing Safe Setups - Running Through a Pre-Installation Checklist
- Windows 7 : Troubleshooting Networks - Manual Troubleshooting
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us