Active Directory

Module 5 Managing Computer Accounts

w w t . w c e n h c o r o . p o c . n i

Module Overview
Create Computers and Join the Domain Administer Computer Objects and Accounts
w w t . w c e n h c o r o . p o c . n i

Perform an Offline Domain Join

Create Computers and Join the Domain

Wor groups! Domains! and "rusts #e$uirements for Joining a Computer to the Domain "he Computer%s Container and Organi&ational 'nits Prestage a Computer Account Join a Computer to the Domain (ecure Computer Creation and Joins Automate Computer Account Creation )mport Computers with C(*D+ )mport Computers with ,D)-D+ Create Computer Accounts with D(Add and Power(hell Create and Join Computers with .etDom and Power(hell

w w t . w c e n h c o r o . p o c . n i

Wor groups! Domains! and "rusts

)n wor group! (AM is the authority for authentication
)dentity is local to each computer
w w t . w c e n h c o r o . p o c . n i

)n domain! Active Directory is the authority for authentication

Computers have a /trust relationship0 with the domain

#e$uirements for Joining a Computer to the Domain

1ou must have permissions to the computer object that allow you to join a computer to the domain
w w t . w c e n h c o r o . p o c . n i

1ou must be a member of the local Administrators group on the computer to change its domain or wor group membership A computer object should e2ist in the directory service
)f it does not already e2ist! you must also have permission to create a computer account in domain

"he Computer%s Container and Organi&ational 'nits

"he default Computer%s container is a container! not an organizationalUnit object
Cannot lin 3POs to a container Cannot create sub4O's in a container

w w t . w c e n h c o r o . p o c . n i

5est practice is to create O's for computer objects

(ervers
"ypically subdivided by server role

Client computers
"ypically subdivided by region

Divide O's based first on administration! then to facilitate configuration with 3roup Policy

Prestage a Computer Account

Prestage 6pre4create7 a computer in the correct O' #ight4clic the O' and choose .ew Computer

w w t . w c e n h c o r o . p o c . n i

Computer .ame and Computer .ame 6Pre4Windows 89997 should be the same 'ser or group bo2 delegates permissions to the specified account to join the computer to the domain

Join a Computer to the Domain

"he (ystem Properties dialog bo2 or window

w w t . w c e n h c o r o . p o c . n i

Prompts for domain credentials #e$uires restart

(ecure Computer Creation and Joins

Prestage computer objects in the correct O's
Computer is in the correct O' and does not re$uire moving 3roup Policy applies to the computer immediately after joining the domain

w w t . w c e n h c o r o . p o c . n i

"ighter security of computer O' and Computers container

Configure the default computer container

redircmp "DN of OU for new computer objects"

#estrict the ability of users to create computers

5y default! any user can join :9 machines to the domain
#e$uires no prestaging

Change the ms-DS-MachineAccountQuota value to 9

Delegate to appropriate groups the permission to create computer objects in the appropriate O's

Automate Computer Account Creation

C(*D+
)mport 6create7 or e2port computer accounts

,D)-D+
)mport 6create7! modify! or e2port computer accounts

w w t . w c e n h c o r o . p o c . n i

D(Add
Create computer accounts and set initial properties

.etDom
Create computer accounts Join machines to domain

)mport Computers with C(*D+

filename.ldf

Export

CSVDE.exe Active Directory Import

C(*D+;e2e

w w t . w c e n h c o r o . p o c . n i

csvde i -f filename [-k] -i< )mport 6default mode is e2port7 4 < Continue past errors 6such as Object Already +2ists7

)nclude userAccountControl column 6set to =9>?7 and sAMAccount.ame column 6set to computername@7

)mport Computers with ,D)-D+

filename.ldf

Export

LDIFDE.exe Active Directory Import

w w t . w c e n h c o r o . p o c . n i

,ightweight Directory Access Protocol Data )nterchange -ormat 6,D)-7 ,D)-D+;e2e

ldifde [-i] [-f filename] [-k] 4i< )mport
Default mode is e2port

4 < Continue past errors

Object already e2ists

dn: CN=FILE25,O =File, O =!ervers, "C=c#n$#s#,"C=c#m c%&n'e$(pe: &dd #)*ec$Cl&ss: $#p #)*ec$Cl&ss: pers#n #)*ec$Cl&ss: #r'&ni+&$i#n&l,ers#n #)*ec$Cl&ss: -ser #)*ec$Cl&ss: c#mp-$er cn: FILE25 -ser.cc#-n$C#n$r#l: /012 s.3.cc#-n$N&me: FILE254

Create Computer Accounts with D(Add and Power(hell

D(Add creates objects in Active Directory
ds&dd c#mp-$er ComputerDN ComputerD.< "he distinguished name 6D.7 of the computer
Multiple values can be provided by< (eparating ComputerD. ComputerD.A with a space ,eaving ComputerD. empty! then entering D.s one at a time followed by +."+#! with C"#,BC! and then +."+# after the last D. Piping a list of D.s from another command! such as D(Duery

w w t . w c e n h c o r o . p o c . n i

)n Active Directory Module for Power(hell! use< .ew4ADComputer 4(amAccount.ame D+(E"OP:8F GPath HO'IClient Computers!DCIcontoso!DCIcomJ

Create and Join Computers with .etDom

Create an account
ne$d#m &dd ComputerName 5d#m&in:DomainName [5#-:"OUDN"] [5 ser":DomainUsername 5,&ss6#rd":DomainPassword]

Join the domain 6and! if necessary! create an account7

ne$d#m *#in MachineName 5"#m&in:DomainName [5O :"OUDN"] [5 ser":DomainUsername][5,&ss6#rd":7DomainPassword89: ] [5 serO:LocalUsername] [5,&ss6#rdO:7LocalPassword89: ] [5SecurePasswordPrompt] [5;E<##$[:TimeInSeconds]]

w w t . w c e n h c o r o . p o c . n i

)n Active Directory Module for Power(hell<

'se Add4Computer cmdlet

Administer Computer Objects and Accounts

Configure Computer Attributes Move a Computer
w w t . w c e n h c o r o . p o c . n i

Computer Accounts and (ecure Channel #ecogni&e Computer Account Problems #eset a Computer Account #ename a Computer Disable and +nable a Computer Delete and #ecycle Computer Accounts

Configure Computer Attributes

'seful attributes
Description ,ocation
'sed by location4aware applications such as (earch -or Printers +2ample< '(KWAK(+AKLDK5uildingFFK-loorFKD9=K:MF:

w w t . w c e n h c o r o . p o c . n i

Managed 5y
,in to user who is the primary user of the computer ,in to group that is responsible for the computer 6servers7

Member Of
3roups< 3roup Policy filtering! software deployment

dsmod computer NComputerDNN O4desc NDescriptionNP O4loc NLocationNP )n Power(hell! use< (et4ADComputer cmdlet

Move a Computer
'sing Active Directory 'sers and Computers
Drag and drop
w w t . w c e n h c o r o . p o c . n i

#ight4clic the computer! and then clic Move

dsm#ve ObjectDN [-ne6n&me NewName] [-ne6p&ren$ ParentDN]

-newname .ew.ame< 'sed to rename a computer 4newparent ParentD.< 'sed to move a computer to the O' specified by ParentD.

'sing Windows Power(hell with pipelining<

3et4ADComputer Q Move4ADObject

Computer Account and (ecure Channel

Computers have accounts
sAMAccount.ame and password 'sed to create a secure channel between the computer and a domain controller

w w t . w c e n h c o r o . p o c . n i

(cenarios where a secure channel can be bro en

#einstalling computer! even with same name! generates a new ()D and password #estoring a computer from an old bac up! or rolling bac a computer to an old snapshot Computer and domain disagree about what the password is

#ecogni&e Computer Account Problems

,ogon messages

w w t . w c e n h c o r o . p o c . n i

+vent log errors! including ey words such as

Password "rust (ecure channel #elationships with the domain or domain controllers

Missing computer account in Active Directory

#eset a Computer Account

Do not simply remove a computer from the domain and rejoin
Creates new account< new ()D! lost group memberships

Options for resetting the secure channel

Active Directory 'sers and Computers
#ight4clic the computer! and then clic #eset Account #e$uires the computer to rejoin the domain and restart

w w t . w c e n h c o r o . p o c . n i

D(ModR
dsmod computer ComputerDN !reset

.etDom
ne$d#m rese$ MachineName 5d#m&in DomainName 5 serO UserName 5,&ss6#rdO 7Password 8 9:

.,"est
nl$es$ 5server:Ser"erName 5sc=rese$:"O3.IN>DomainController

Windows Power(hell< "est4Computer(ecureChannel G#epair

#ename a Computer
'se (ystem Properties of the computer to rename the computer and its account correctly

w w t . w c e n h c o r o . p o c . n i

.etDom
ne$d#m ren&mec#mp-$er MachineName 5Ne6N&me:NewName [5 serO:LocalUsername] [5,&ss6#rdO:7LocalPassword89: ] [5 ser":DomainUsername] [5,&ss6#rd":7DomainPassword89: ] [5!ec-re,&ss6#rd,r#mp$] [5;E<##$[:TimeInSeconds] ]
Windows Power(hell< #e.ame4Computer 5e cautious of the impact that renaming can have on services and on certificates associated with computerJs name

Disable and +nable a Computer

Disable a computer if it will be offline for an e2tended time
(imilar to disabling a user who is on a leave of absence Prevents secure channel from being established! so users who do not have cached credentials on the computer cannot log on

w w t . w c e n h c o r o . p o c . n i

Active Directory 'sers and Computers

#ight4clic computer! and then clic +nable Account or Disable Account

D(Mod
dsm#d c#mp-$er ComputerDN -dis&)led (es dsm#d c#mp-$er ComputerDN -dis&)led n#

Delete and #ecycle Computer Accounts

Delete a computer with Active Directory 'sers and Computers
#ight4clic the computer! and then clic Delete

Delete a computer with D(#m

dsrm ObjectDN

w w t . w c e n h c o r o . p o c . n i

Delete destroys ()D and group memberships

When replacing or reinstalling a computer! if computer will play the same role! reset the computer account! instead of deleting it Preserves all attributes of computer! including ()D and group memberships 1ou can rename object if computer is being renamed during reinstallationSupgrade "his recycles the computer account

Offline Domain Join

What )s an Offline Domain JoinT Process for Performing an Offline Domain Join
w w t . w c e n h c o r o . p o c . n i

Demonstration< Perfom an Offline Domain Join

What )s an Offline Domain JoinT

An Offline Domain Join allows a client to fully achieve a domain4joined state without ever having communicated with a domain controller A trust relationship between a computer and a domain is established as soon as the networ connection with a domain controller is established #e$uirements
.o forest or domain functional level re$uirement .o Windows (erver 899U #8 DCs re$uired "he computer being joined must be a Windows V client or a Windows (erver 899U #8 member

w w t . w c e n h c o r o . p o c . n i

Process for Performing an Offline Domain Join

:; 8; )f a nonadministrator is performing the offline domain join! appropriate rights must be delegated #un the djoin /provision /domain contoso.com /machine DESKTOP123 /savefi e !"#des$top123.t%t command to provision the computer account object and create the blob file
BLOB

w w t . w c e n h c o r o . p o c . n i

F;

"ransfer the blob file with domain information to client computer system hard drive

BLOB Win7

=; M;

djoin Sre$uestODJ Sloadfile des top:8F;t2t Swindowspath W(ystem#ootW 6Slocalos7 #estart the client computer

Demonstration< Perform Offline Domain Join

)n this demonstration! your instructor will show you how to perform an Offline Domain Join
w w t . w c e n h c o r o . p o c . n i