1

Chapter 8

WORKING WITH
COMPUTER
ACCOUNTS

Chapter 8: WORKING WITH COMPUTER ACCOUNTS2

CHAPTER OVERVIEW

Describe the process of adding a computer

to an Active Directory domain

Create and manage computer objects

Troubleshoot computer accounts

Chapter 8: WORKING WITH COMPUTER ACCOUNTS3

UNDERSTANDING COMPUTER
OBJECTS

Logical representation in Active Directory

of the physical computer object

Can be granted permissions to other

objects and be subject to group policy

Can be made a member of a group

Chapter 8: WORKING WITH COMPUTER ACCOUNTS4

ADDING COMPUTERS TO A DOMAIN

Step 1: Create a computer account in

Active Directory

Step 2: Join the computer to the domain

Chapter 8: WORKING WITH COMPUTER ACCOUNTS5

CREATING COMPUTER OBJECTS

Computer object must exist in Active

Directory before computer can be joined to
the domain.

Computer object can be created using

Active Directory Users and Computers or a
command-line tool such as Dsadd.

Computer account can also be created

during the domain joining process.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS6

CREATING COMPUTER OBJECTS

USING ACTIVE DIRECTORY USERS
AND COMPUTERS

Chapter 8: WORKING WITH COMPUTER ACCOUNTS7

CREATING COMPUTER OBJECTS

USING DSADD.EXE

Allows computer account creation to be

scripted

Provides a mechanism to create large

amounts of computer accounts at one time

Chapter 8: WORKING WITH COMPUTER ACCOUNTS8

CREATING COMPUTER OBJECTS

USING NETDOM.EXE

Command-line utility

Simpler to use than Dsadd

Must be extracted from the support.cab

archive in the \Support\Tools folder on the
Windows Server 2003 installation CD

Chapter 8: WORKING WITH COMPUTER ACCOUNTS9

JOINING COMPUTERS TO A DOMAIN

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

10

JOINING A DOMAIN USING

NETDOM.EXE

Allows computers to be joined to the

domain from a command line

Allows scripts to be developed to

streamline the process of joining a
computer to a domain

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

11

CREATING COMPUTER OBJECTS

WHILE JOINING THE DOMAIN

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

12

JOINING A DOMAIN DURING

OPERATING SYSTEM INSTALLATION

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

13

LOCATING COMPUTER OBJECTS

The Computers container

The Domain Controllers OU

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

14

LOCATING DOMAIN CONTROLLER

COMPUTER OBJECTS

Computer accounts for domain controllers

are placed in the system-created domain
controllers OU by default.

The Default Domain Controllers Policy GPO

is applied to the container.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

15

LOCATING OTHER COMPUTER

OBJECTS

Nondomain-controller computer accounts

are placed in the Computers systemcreated container by default.

Container does not support group policy

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

16

REDIRECTING COMPUTER OBJECTS

Allows an alternative default location for

computer accounts to be specified.

Use the Redircmp.exe command-line utility.

Works only on Windows Server 2003

domain functional level.

Can be overridden by explicit computer

account creation commands.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

17

MANAGING COMPUTER OBJECTS

Computer objects have properties.

Can be viewed and configured through

Active Directory Users and Computers

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

18

MODIFYING COMPUTER OBJECT

PROPERTIES

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

19

DELETING, DISABLING, AND

RESETTING COMPUTER OBJECTS
Deleting
Removes the computer account from Active

Directory

Disabling
Prevents the computer from being used to

log on to the domain

Resetting
Reestablishes relationship between a

computer and Active Directory

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

20

DELETING COMPUTER OBJECTS

Manually through Active Directory Users

and Computers

Automatically by changing the domain

membership on the computer

Using a command-line tool such as Dsrm

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

21

DISABLING COMPUTER OBJECTS

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

22

RESETTING A COMPUTER OBJECT

Necessary when replacing or upgrading a

computer system

Allows an appropriately named new system

to use an existing computer account

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

23

MANAGING REMOTE COMPUTERS

Allows you to perform management tasks

across the network

Actually a shortcut to the Computer

Management MMC snap-in

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

24

MANAGING COMPUTER OBJECTS

FROM THE COMMAND LINE
Dsmod
Used to modify existing computer account

objects

Dsrm
Used to remove computer account objects

from Active Directory

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

25

MANAGING COMPUTER OBJECT

PROPERTIES WITH DSMOD.EXE

Can be used to modify properties of

existing computer account objects

Useful for creating scripts and batch files

to automate changes

Cannot be used to create or delete

computer account objects

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

26

DELETING COMPUTER OBJECT

PROPERTIES WITH DSRM.EXE

Can be used to delete computer account

objects from the command line

Requires confirmation of deletion unless

the -noprompt switch is used

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

27

TROUBLESHOOTING COMPUTER
ACCOUNTS: PROBLEMS

Messages at logon indicate that a domain

controller cannot be contacted, that the
computer account might be missing, or that
the trust between the computer and the
domain has been lost.

Error messages or entries in an event log

indicate similar problems or suggest that
passwords, trusts, secure channels, or
relationships with the domain or a domain
controller have failed.

A computer account is missing in Active

Directory.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

28

TROUBLESHOOTING COMPUTER
ACCOUNTS: SOLUTIONS

Reset the computer account in Active

Directory.

If the computer account is missing, create

a computer account.

If the computer still belongs to the domain,

you must remove it from the domain by
changing its membership to a workgroup.

Rejoin the computer to the domain.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

29

SUMMARY

A computer object represents a specific

system on the network.

To add a computer to a domain, you must

create a computer object for it in Active
Directory and then join the physical
computer to the object.

To create computer objects, you can use

the Active Directory Users and Computers
console, the Dsadd utility, or the Netdom
utility.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

30

SUMMARY (continued)

Computer objects for nondomain controllers

are placed in the Computers container by
default.

Computer object have a SID that Active

Directory uses to reference the computer in its
group memberships and other permissions.

The typical steps for troubleshooting a

computer object problem include creating or
resetting the object, removing the computer
from the domain, and rejoining it to the
domain.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS

31