Supporting Computer Objects and Accounts

Configuring Computer Properties

When you create a computer object, you are prompted to configure only the most fundamental attributes, including the computer name and the delegation to join the computer to the domain. Computers have several properties that are not visible when creating the computer object, and you should configure these properties as part of the process of staging the computer account.

Use the buttons below to navigate through the lesson

Open a computer object’s Properties dialog box to set its location and description, configure its group memberships and dial-in permissions, and link it to the user object of the user to
whom the computer is assigned. The Operating System tab is read-only. The information will be blank until a computer has joined the domain, using that account, at which time, the client publishes the information to its account.

Several object classes in Active Directory support the managedBy attribute that is shown on the Managed By tab. This linked attribute creates a cross-reference to a user object. All other properties the addresses and telephone numbers are displayed directly from the user object. They are not stored as part of the computer object itself.

On the Member Of tab of a computer’s Properties dialog box, you can add the computer to groups. The ability to manage computers in groups is an important and often underused feature of Active Directory. A group to which computers belong can be used to assign resource access permissions to the computer or to filter the application of a GPO. As with users and groups, it is possible to multiselect more than one computer object and subsequently manage or modify properties of all selected computers simultaneously.

Configuring Computer Attributes with Dsmod

The Dsmod command, which you learned about earlier, is able to modify only the description and the location attributes. It uses the following syntax:
dsmod computer “DN of Computer” [-desc Description] [-loc Location]

Configuring Computer Attributes with Windows PowerShell or VBScript

In Windows PowerShell and VBScript, you can change attributes of a computer with three steps:

  1. Connect to the computer using ADSI and the aDSPath attribute of the computer in the form “LDAP://Distinguished Name of Computer.”
  2. Use the Put method of the computer object to set single-valued attributes.
  3. Use the SetInfo method to commit changes to the object.

The Windows PowerShell commands are as follows:
$objComputer = [ADSI]”LDAP://DN of Computer”
$objComputer.Put (“property”, value)

The VBScript code follows this format:
Set objComputer = GetObject(“LDAP://DN of Computer”)
objComputer.Put “property”,
value objComputer.SetInfo

In both cases, if the value is a text value, it must be surrounded by quotes.

Moving a Computer

You can move a computer in the Active Directory Users and Computers snap-in using either drag and drop or the Move command, available when you right-click a computer.
You must have appropriate permissions to move an object in Active Directory. Default permissions allow Account Operators to move computer objects between containers, including the Computers container and any OUs except into or out of the Domain Controllers OU. Administrators, which include Domain Admins and Enterprise Admins, can move computer objects between any containers, including the Computers container, the Domain Controllers OU, and any other OUs.

Before you move a computer, consider the implications to delegation and configuration. The target OU might have different permissions than the originating OU, in which case, the object will inherit new permissions affecting who is able to manage the object further. The target OU might also be within the scope of different GPOs, which would change the configuration of settings on the system itself.

The Dsmove command allows you to move a computer object or any other object. The syntax of Dsmove is:
dsmove ObjectDN [-newname NewName] [-newparent ParentDN]

The newname parameter enables you to rename an object.

The newparent parameter enables you to move an object.

To move a computer named XP021 from the Computers container to the ClientsXP OU, you would type the following:

dsmove “CN=XP021,CN=Computers,DC=es-net,DC=co,DC=uk” –newparent “OU=ClientsXP,DC=es-net,DC=co,DC=uk”

To move a computer in Windows PowerShell, you must use the psbase.MoveTo method.

The following two lines of code will move a computer:
$objUser=[ADSI]”LDAP://ComputerDN ”

With VBScript, you connect to the source container and use the container’s MoveHere method:
Set objOU = GetObject(“LDAP://TargetOUDN”)
objOU.MoveHere “LDAP://ComputerDN”, vbNullString

Managing a Computer from the Active Directory Users and
Computers Snap-In

One of the beneficial but lesser used features of the Active Directory Users and Computers snap-in is the Manage command. Select a computer in the Active Directory Users and Computers snap-in, right-click it, and choose Manage. The Computer Management console opens, focused on the selected computer, giving you instant access to the computer’s event logs, local users and groups, shared folder configuration, and other management extensions.

The tool is launched with the credentials used to run the Active Directory Users and Computers snap-in, so you must be running the Active Directory Users and Computers snap-in as a member of the remote computer’s Administrators group to gain the maximum functionality from the Computer Management console.

Computer’s Logon and Secure Channel

Every member computer in an Active Directory domain maintains a computer account with a user name (sAMAccountName) and password, just like a user account does.
The computer stores its password in the form of a local security authority (LSA) secret and changes its password with the domain every 30 days or so. The Netlogon service uses the credentials to log on to the domain, which establishes the secure channel with a domain controller.

 Computer Account Problems

Certain scenarios might arise in which a computer is no longer able to authenticate with the domain. Examples of such include:

After reinstalling the operating system on a workstation, the workstation is unable to authenticate even though the technician used the same computer name. Because the new installation generated a new SID and because the new computer does not know the computer account password in the domain, it does not belong to the domain and cannot authenticate to the domain.

A computer is completely restored from backup and is unable to authenticate. It is likely that the computer changed its password with the domain after the backup operation.
Computers change their passwords every 30 days, and Active Directory remembers the current and previous password. If the restore operation restored the computer with a significantly outdated password, the computer will not be able to authenticate.

A computer’s LSA secret gets out of synch with the password known by the domain. You can think of this as the computer forgetting its password, although it did not forget its
password; it just disagrees with the domain over what the password really is. When this happens, the computer cannot authenticate and the secure channel cannot be created.

 Resetting a Computer Account

When the secure channel fails, you must reset it. Many administrators do so by removing the computer from the domain, putting it in a workgroup, and then rejoining the domain. This is not a good practice because it has the potential to delete the computer account altogether, which loses the computer’s SID and, more importantly, its group memberships. When you rejoin the domain, even though the computer has the same name, the account has a new SID, and all the group memberships of the previous computer object must be re-created.

To reset the secure channel between a domain member and the domain, use the Active Directory Users and Computers snap-in, Dsmod.exe, Netdom.exe, or Nltest.exe.
By resetting the account, the computer’s SID remains the same and it maintains its group memberships.

The Active Directory Users and Computers snap-in.
Right-click a computer and choose Reset Account. Click Yes to confirm your choice. The computer will then need to be rejoined to the domain, requiring a reboot. Dsmod Type the command, dsmod computer “Computer DN” –reset
You will have to rejoin the computer to the domain and reboot the computer.

Netdom Type the command netdom reset MachineName /domain DomainName / UserO UserName /PasswordO {Password | *} where the credentials belong to the local Administrators group of the computer. This command resets the secure channel by attempting to reset the password on both the computer and the domain, so it does not require rejoining or rebooting.

Nltest On the computer that has lost its trust, type the command nltest /server:Server Name /sc_reset:DOMAIN\DomainController, for example, nltest /server:FS1 / sc_reset:es-net\DC01.

This command, like Netdom.exe, attempts to reset the secure channel by resetting the password both on the computer and in the domain, so it does not require rejoining or rebooting.

Because Nltest.exe and Netdom.exe reset the secure channel without requiring a reboot, try those commands first. Only if not successful should you use the Reset Account command or Dsmod to reset the computer account.

If a computer account’s group memberships and SID, and the permissions assigned to that SID, are important to the operations of a domain, you do not want to delete that account. So what would you do if a computer was replaced with a new system with upgraded hardware? This is another scenario in which you would reset a computer account.

Resetting a computer account resets its password but maintains all the computer object’s properties. With a reset password, the account becomes, in effect, available for use. Any computer can then join the domain using that account, including the upgraded system. In effect, you’ve recycled the computer account, assigning it to a new piece of hardware. You can even rename the account. The SID and group memberships remain.