1. Managing Computer Accounts
Managing Computer Object Permissions
Fortunately,
Active Directory allows you to control, with great specificity, the
groups or users that can join a computer to a domain computer account.
Although the default is Domain Admins, you can allow any group (for
example, a group called “Installers”) to join a machine to an account.
This is most easily achieved while creating the computer object.
When you create a computer object, the first page of the New Object–Computer dialog box
indicates The Following User Or Group Can Join This Computer To A
Domain. Click Change and you can select any user or group. This change
modifies a number of permissions on the computer object in Active
Directory.
The following page of
the New Object–Computer dialog box prompts you for the globally unique
identifier (GUID) of the computer, which is necessary if you install a
system using Remote Installation Services (RIS). For more information on
RIS, see the Microsoft online Knowledge Base, http://support.microsoft.com/.
If the computer that is
using the account that you are creating is running a version of Windows
earlier than 2000, select the Assign This Computer Account As A
Pre–Windows 2000 Computer check box. If the account is for a Windows NT
backup domain controller, click Assign This Computer Account As A Backup
Domain Controller.
Tip
Remember,
only computers based on Windows NT technologies can belong to a domain,
so Windows 95, Windows 98, and Windows Millennium Edition (Windows Me)
cannot join or maintain computer accounts. Therefore, this check box
really means Windows NT 4. |
Configuring Computer Properties
Computer
objects have several properties that are not visible when creating a
computer account in the user interface. Open a computer object’s
Properties dialog box to set its location and description, configure its
group memberships and dial-in permissions, and link it to a user object
of the computer’s manager. The Operating System properties page is
read-only. The information is published automatically to Active
Directory, and will be blank until a computer has joined the domain
using that account.
Several object
classes in Active Directory support the Manager property that is shown
on the Managed By property page of a computer. This linked property
creates a cross-reference to a user object. All other properties—the
addresses and telephone numbers—are displayed directly from the user
object. They are not stored as part of the computer object itself.
The DSMOD command, can also modify several of the properties of a computer object. You
will see the DSMOD command in action in the following section regarding
troubleshooting computer accounts.
Finding and Connecting to Objects in Active Directory
When a user calls you
with a particular problem, you might want to know what operating system
and service pack is installed on that user’s system. You learned that
this information is stored as properties of the computer object. The
only challenge, then, is to locate the computer object, which may be
more difficult in a complex Active Directory with one or more domains
and multiple OUs.
The Active Directory
Users and Computers snap-in provides easy access to a powerful,
graphical search tool. This tool can be used to find a variety of object
types. In this context, however, your search entails an object of the
type Computer. Click the Find Objects In Active Directory button on the
console toolbar. The resulting Find Computers dialog box is illustrated
in Figure 1. You can select the type of object (Find), the scope of the search (In), and specify search criteria before clicking Find Now.
The
list of results allows you to select an object and, from the File menu
or the shortcut menu, perform common tasks on the selected object. Many
administrators appreciate learning that you can use the Manage command
to open the Computer Management console and connect directly to that
computer, allowing you to examine its event logs, device manager, system
information, disk and service configuration, or local user or group
accounts.
Practice: Managing Computer Accounts
In this practice, you will search for a computer object and modify its properties.
Exercise 1: Managing Computer Accounts
1. | Open Active Directory Users And Computers.
|
2. | Select the Security Groups OU and create a global security group called Deployment.
|
3. | Select the Desktops OU.
|
4. | Create
a computer account for Desktop04. In the first page of the New
Object–Computer dialog box, click Change below The Following User Or
Group Can Join This Computer To A Domain. Type deployment in the Select User or Group dialog box, and then click OK.
|
5. | Complete the creation of the Desktop04 computer object.
|
Exercise 2: Finding Objects in Active Directory
1. | Open Active Directory Users And Computers.
|
2. | On the toolbar, click the Find Objects in Active Directory icon.
|
3. | By
default, the Find dialog box is ready to search for Users, Contacts,
and Groups. Choose Computers from the Find drop-down list, and select
Entire Directory from the In drop-down list.
|
4. | In the Computer Name field, type server and click Find Now.
A result set appears that includes Server01.
|
Exercise 3: Changing Computer Properties
1. | From the result set returned in Exercise 1, open Server01’s properties dialog box.
|
2. | Click the Location tab.
|
3. | Type Headquarters Server Room.
|
4. | Click the Managed By tab, and then click Change.
|
5. | Type Hank and then click OK.
|
6. | Note that the user’s name and contact information appears.
|
7. | Click the Operating System tab. Note the OS version and service pack level are displayed.
|
2. Troubleshooting Computer Accounts
Active
Directory domains treat computers as security principals. This means
that a computer, just like a user, has an account—or, more specifically,
properties within the computer object such as a name, a password, and a
SID. Like user accounts, computer accounts require maintenance and,
occasionally, troubleshooting. This lesson focuses on skills and
concepts related to troubleshooting computer objects.
After this lesson, you will be able to
Understand the important difference among deleting, disabling, and resetting computer accounts Recognize the symptoms of computer account problems Troubleshoot computer accounts by deleting, disabling, resetting, or rejoining, using both command-line and user-interface tools
Estimated lesson time: 20 minutes |
Deleting and Disabling and Resetting Computer Accounts
Computer
accounts, like user accounts, maintain a unique SID, which enables an
administrator to grant permissions to computers. Also like user
accounts, computers can belong to groups. Therefore, like user accounts,
it is important to understand the effect of deleting a computer
account. When a computer account is deleted, its group memberships and
SID are lost. If the deletion is accidental, and another computer
account is created with the same name, it is nonetheless a new account,
with a new SID. Group memberships must be reestablished, and any
permissions assigned to the deleted computer must be reassigned to the
new account. Delete computer objects only when you are certain that you
no longer require those security-related attributes of the object.
To delete a
computer account using Active Directory Users And Computers, locate and
select the computer object and, from the Action menu or the shortcut
menu, select the Delete command. You will be prompted to confirm the
deletion and, because deletion is not reversible, the default response
to the prompt is No. Select Yes and the object is deleted.
The DSRM command-line tool allows you to delete a computer object from the command prompt. To delete a computer with DSRM, type:
Where ObjectDN
is the distinguished name of the computer, such as “CN=Desktop15,
OU=Desktops,DC=contoso,DC=com.” Again, you will be prompted to confirm
the deletion.
Tip
When
a computer is disjoined from a domain—when an administrator changes the
membership of the computer to a workgroup or to another domain—the
computer attempts to delete its computer account in the domain. If it is
not possible to do so because of lack of connectivity, networking
problems, or credentials and permissions, the account will remain in
Active Directory. It may appear, immediately or eventually, as disabled.
If that account is no longer necessary, it must be deleted manually. |
If a computer is taken
offline or is not to be used for an extended period of time, you may
disable the account. Such an action reflects the security principle,
that an identity store allow authentication only of the minimum number
of accounts required to achieve the goals of an organization. Disabling
the account does not modify the computer’s SID or group membership, so
when the computer is brought back online, the account can be enabled.
The context menu, or
Action menu, of a selected computer object exposes the Disable Account
command. A disabled account appears with a red “X” icon in the Active
Directory Users And Computers snap-in, as shown in Figure 2.
While an account is
disabled, the computer cannot create a secure channel with the domain.
The result is that users who have not previously logged on to the
computer, and who therefore do not have cached credentials on the
computer, will be unable to log on until the secure channel is
reestablished by enabling the account.
To enable a computer
account, simply select the computer and choose the Enable Account
command from the Action or shortcut menus.
To
disable or enable a computer from the command prompt, use the DSMOD
command. The DSMOD command modifies Active Directory objects. The syntax
used to disable or enable computers is:
DSMOD COMPUTER ComputerDN -DISABLED YES
DSMOD COMPUTER ComputerDN -DISABLED NO
If a computer account’s
group memberships and SID, and the permissions assigned to that SID, are
important to the operations of a domain, you do not want to delete that
account. So what would you do if a computer was replaced with a new
system, with upgraded hardware? Such is one scenario in which you would reset a computer account.
Resetting a
computer account resets its password, but maintains all of the computer
object’s properties. With a reset password, the account becomes in
effect “available” for use. Any computer can then join the domain using
that account, including the upgraded system.
In fact, the
computer that had previously joined the domain with that account can use
the reset account by simply rejoining the domain. This reality will be
explored in more detail in the troubleshooting lesson.
The Reset Account
command is available in the Action and context menus when a computer
object is selected. The DSMOD command can also be used to reset a
computer account, with the following syntax:
dsmod computer ComputerDN -reset
The NETDOM command,
included with the Windows Server 2003 Support Tools in the CD-ROM’s
Support\Tools directory, also enables you to reset a computer account.
Recognizing Computer Account Problems
Computer
accounts, and the secure relationships between computers and their
domain are robust. In the rare circumstance that an account or secure
channel breaks down, the symptoms of failure are generally obvious. The
most common signs of computer account problems are:
Messages at logon
indicate that a domain controller cannot be contacted; that the computer
account may be missing; or that the trust (another way of saying “the
secure relationship”) between the computer and the domain has been lost.
An example is shown in Figure 3.
Error
messages or events in the event log indicating similar problems or
suggesting that passwords, trusts, secure channels, or relationships
with the domain or a domain controller have failed.
A computer account is missing in Active Directory.
The rules that govern troubleshooting a computer account are:
If the computer account exists in Active Directory, it must be reset.
If the computer account is missing in Active Directory, you must create a computer account.
If
the computer still belongs to the domain, it must be removed from the
domain by changing its membership to a workgroup. The name of the
workgroup is irrelevant. Best practice is to try and choose a workgroup
name that you know is not in use.
Rejoin
the computer to the domain. Alternatively, join another computer to the
domain; but the new computer must have the same name as the computer
account.
To troubleshoot any computer account problem, apply all four rules.
These rules can be addressed in any order, except that Rule D,
involving rejoining the computer to the domain, must as always be
performed as the final step. Let’s examine two scenarios.
In the first
scenario, a user complains that when he or she attempts to log on, the
system presents error messages indicating that the computer account
might be missing. Applying Rule A, you open Active Directory Users And
Computers and find that the computer account exists. You reset the
account. Rule B does not apply—the account does exist. Then, using Rule
C, you disjoin the system from the domain and, following Rule D, rejoin
the domain.
In
a second scenario, if a computer account is reset by accident, the
first item that has occurred is Rule A. Although the reset is
accidental, you must continue to recover by applying the remaining three
rules. Rule B does not apply because the account exists in the domain.
Rule C indicates that if the computer is still joined to the domain, it
must be removed from the domain. Then, by Rule D, it can rejoin the
domain.
With these four rules, you
can make an informed decision, on the job or on the certification exams,
about how to address any scenario in which a computer account has lost
functionality.
Practice: Troubleshooting Computer Accounts
In this practice, you will troubleshoot a realistic scenario. A user in the contoso.com domain contacts you and complains that, when logging on to Desktop03, he or she receives the following error message:
“Windows cannot
connect to the domain, either because the domain controller is down or
otherwise unavailable, or because your computer account was not found.
Please try again later. If this message continues to appear, contact
your system administrator for assistance.”
The user waited,
attempted to log on, received the same message, waited again, and then
received the same message a third time. The user has now spent 20
minutes trying to log on. In obvious frustration, the user contacts you
for assistance.
Exercise 1: Troubleshooting Computer Accounts
Identify the most likely cause of the user’s problem:
The user entered an invalid user name.
The user entered an invalid password.
The user chose the incorrect domain from the Log On To list.
The computer has lost its secure channel with the domain.
The computer’s registry is corrupted.
The computer has a policy preventing the user from logging on interactively.
The correct answer, as you can probably deduce, is d. The computer has lost its secure channel with the domain.
Identify
the steps from the list below that you must take to troubleshoot the
problem. Put the steps in order. You may not require all steps.
Enable the computer account.
Change Desktop03 to belong to contoso.com.
Determine whether the computer account exists in Active Directory.
Reset or re-create the computer account.
Change Desktop03 to a workgroup.
Delete the computer account.
Disable the computer account.
The
correct answer is steps e, c, d, and b. Step e does not have to occur
first; it just has to be done anytime before step b. Steps c and d must
occur, in that order, before step b, which must be the last step.
Exercise 2: Recover from Computer Account Problems
1. | Open Active Directory Users And Computers.
|
2. | Click Find Objects In Active Directory and search for Desktop03.
|
3. | Desktop03 appears in the search results .
|
4. | Having identified that the account does exist, reset the account by right-clicking Desktop03 and choosing Reset Account. |