Chapter 8. Computer Objects

Introduction

As far as Active Directory is concerned, computers are very similar to users. In fact, computer objects inherit directly from the user object class, which is used to represent user accounts. This means that computer objects possess all of the attributes of user objects and then some. Computers need to be represented in Active Directory for many of the same reasons users do, including the need to access resources securely, utilize GPOs, and have permissions assigned to them.

To participate in a domain, computers need a secure channel to a domain controller. A secure channel is an authenticated connection that can transmit encrypted data. To set up the secure channel, a computer must present a password to a domain controller. Similar to the way in which it authenticates a user account, Active Directory will use Kerberos authentication to verify the identity of a computer account. Without the computer object and, by association, the password stored with it that the operating system changes behind the scenes on a regular basis, there would be no way for the domain controller to verify a computer is what it claims to be.

The Anatomy of a Computer

The default location for computer objects in a domain is the cn=Computers container located directly off the domain root. You can, however, create computer objects anywhere in a domain. You can also modify the default location for computer objects as described in Modifying the Attributes of a computer Object. Table 8-1 contains a list of some of the interesting attributes that are available on computer objects.

Table 8-1. Attributes of computer objects

Attribute

Description

cn

Relative distinguished name of computer objects.

dnsHostName

Fully qualified DNS name of the computer.

lastLogonTimestamp

The approximate timestamp of the last time the computer logged in to the domain.

managedBy

The distinguished name (DN) of the user or group that manages the computer.

memberOf

List of DNs of the groups the computer is a member of.

msDS-AuthenticatedToAccountList

This attribute was introduced in Windows Server 2008. It is a backlink attribute that identifies users who have successfully authenticated to a full DC via a particular RODC.

msDS-IsPrimaryComputerFor

This attribute was introduced in Windows Server 2012. It indirectly identifies the primary user of a computer.

msDS-RevealedUsers

This attribute was introduced in Windows Server 2008. It identifies the list of users and computers whose secrets have been replicated to an RODC.

operatingSystem

Text description of the operating system running on the computer. See Finding Computers with a Particular OS for more information.

operatingSystemHotFix

Currently not being used, but will hopefully be populated at some point.

operatingSystemServicePack

Service pack version installed on the computer. See Finding Computers with a Particular OS for more information.

operatingSystemVersion

Numeric version of the operating system installed on the computer. See Finding Computers with a Particular OS for more information.

pwdLastSet

Large integer that can be translated into the last time the computer’s password was set. See Resetting a Computer Account for more information.

sAMAccountName

NetBIOS-style name of the computer. This is typically the name of the computer with a $ at the end.

userAccountControl

Account flag that defines various account properties. In the case of a computer object, this specifies whether the computer is a member computer or a domain controller.

Creating a Computer

Problem

You want to create a computer account.

Solution

Using a graphical user interface

  1. Open the Active Directory Administrative Center.

  2. In the left pane, click to highlight the desired domain.

  3. In the right pane, click New and then click Computer.

  4. Type a name for the computer, fill in the desired optional fields, and then click OK to create the computer object.

Using a command-line interface

You can create a computer object using either the built-in DSAdd utility or AdMod. To create an account using DSAdd, use the following syntax:

> dsadd computer "<ComputerDN>" -desc "<Description>"

To create a computer account using AdMod, enter the following:

> admod -b "<ComputerDN>" objectclass::computer↵
  sAMAccountName::<ComputerName>$ userAccountControl::4096↵
  description::"<Description>" -add

Using PowerShell

To create a computer account using PowerShell, use the new-ADComputer cmdlet as follows:

New-ADComputer -Name "<ComputerName>" -SamAccountName "<SamAccountName>"↵
 -Path <OU DN>

Discussion

Creating a computer object in Active Directory is not much different from creating a user object. We set the description attribute in the CLI solutions, but it is not a mandatory attribute. The only mandatory attribute is sAMAccountName, which should be set to the name of the computer with a $ appended. Note that ADAC and ADUC will both populate the sAMAccountName automatically based on the name given to the computer during the creation process. Also note that these solutions simply create a computer object. This does not mean any user can join a computer to the domain with that computer account. For more information on creating a computer object and allowing a specific user or group to join the computer to the domain, see Creating a Computer for a Specific User or Group.

See Also

Creating a Computer for a Specific User or Group for creating a computer for a user; “New-ADComputer”; MSDN: ADS_USER_FLAG_ENUM

Creating a Computer for a Specific User or Group

Problem

You want to create a computer account for a specific user or group to join to the domain. This requires setting permissions on the computer account so that the user or group can modify certain attributes.

Solution

Using a graphical user interface

  1. Open the Active Directory Administrative Center.

  2. In the left pane, click to highlight the desired domain.

  3. In the right pane, click New and then click Computer.

  4. Type a name for the computer and fill in the desired optional fields.

  5. In the top-right corner of the Computer section, click the Change button near the text that says, “The above user or group can join this computer to a domain.”

  6. Use the Object Picker to select a user or group to join the computer to the domain and then click OK.

  7. Click OK to create the computer object.

Using a command-line interface

In the following solution, replace <ComputerDN> with the distinguished name of the computer object and <UserOrGroup> with the user principal name or NT-style name of a user or group you want to manage the computer:

> dsadd computer <ComputerDN>
> dsacls <ComputerDN> /G <UserOrGroup>:CALCGRSDDTRC;;
> dsacls <ComputerDN> /G <UserOrGroup>:WP;description;
> dsacls <ComputerDN> /G <UserOrGroup>:WP;sAMAccountName;
> dsacls <ComputerDN> /G <UserOrGroup>:WP;displayName;
> dsacls <ComputerDN> /G <UserOrGroup>:WP;userAccountControl;
> dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to service↵
 principalname";
> dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to DNS host name";

Note

You can replace the first line of this code with the AdMod code from Creating a Computer if you choose.

Discussion

By default, members of the Authenticated Users group can join up to 10 computers to an Active Directory domain. If you’ve modified this default behavior or need to allow a user to add computers to the domain on a regular basis, you need to grant certain permissions so that the user has rights to modify the computer object. When you create a computer via ADAC or the ADUC snap-in (dsa.msc), you have the option to select a user or group to manage the computer object and join a computer to the domain using that object. When you use that method, eight ACEs are added to the ACL of the computer object. They are:

  • List Contents, Read All Properties, Delete, Delete Subtree, Read Permissions, All Extended Rights (i.e., Allowed to Authenticate, Change Password, Send As, Receive As, Reset Password)

  • Write Property for description

  • Write Property for sAMAccountName

  • Write Property for displayName

  • Write Property for Logon Information

  • Write Property for Account Restrictions

  • Validated write to DNS hostname

  • Validated write for service principal name

Using a graphical user interface

If you want to modify the default permissions that are applied when you select a user or group through the GUI, double-click on the computer object after you’ve created it and go to the Security tab. For the Security tab to be visible, you have to select View→Advanced Features.

Using a command-line interface

With the dsacls utility, you can specify either a UPN (user@domain) or a down-level-style (DOMAINuser) account name when applying permissions. Also, dsacls requires that the displayName of the attribute, property set, or extended right you are setting the permission on be used instead of the lDAPDisplayName, as you might expect. That is why we had to use “Validated write to service principal name,” which is the displayName for the Validated-SPN controlAccessRight object, with the ACE for the SPN-validated write. dsacls is also case-sensitive, so be sure to specify the correct case for the words in the displayName.

See Also

Creating a Computer for creating a computer account

Deleting a Computer

Problem

You want to delete a computer account.

Solution

Using a graphical user interface

  1. Open the Active Directory Administrative Center.

  2. In the right pane, type the name of the computer in the Global Search box, select the desired domain in the scope, and then click the search icon.

  3. In the search results, right-click the name of the computer and then click Delete.

  4. In the Delete Confirmation dialog box, click Yes to complete the deletion of the computer object.

Using a command-line interface

You can delete a computer using the built-in dsrm utility, as well as AdMod. For dsrm, use the following syntax:

> dsrm "<Computer DN>"

For AdMod, enter the following:

> admod -b "<Computer DN>" -del

Using PowerShell

To delete an object using PowerShell, use the following syntax:

Remove-ADComputer -Identity "<Computer DN>" -Confirm:$False

Joining a Computer to a Domain

Problem

You want to join a computer to a domain after the computer object has already been created in Active Directory.

Solution

Using a graphical user interface (steps specific to Windows 7, Windows 8, and Windows Server 2012)

  1. Log on to the computer that you want to join to the domain, and then open the Control Panel.

  2. Open the System applet.

  3. In the “Computer name, domain, and workgroup settings section,” click “Change settings.”

  4. Click the Change button.

  5. Under “Member of,” select Domain.

  6. Enter the domain name that you want to join and click OK.

  7. You may be prompted to enter credentials in order to join the computer to the domain.

  8. Reboot the computer.

Using a command-line interface

> netdom join <ComputerName> /Domain <DomainName> /UserD <DomainUserUPN>↵
/PasswordD * /UserO <ComputerAdminUser> /PasswordO * /Reboot

Using a command-line interface with PowerShell

Add-Computer -DomainName <DomainName> -Restart

Discussion

When trying to add a computer to Active Directory, either you can pre-create the computer object as described in Recipes and before joining it to the domain, or you can perform both operations at the same time.

Using a graphical user interface

If you have the correct permissions in Active Directory, you can actually create a computer object at the same time as you join it to a domain via the instructions described in the GUI solution. Since the System applet doesn’t allow you to specify an OU for the computer object, if it needs to create a computer object it will do so in the default Computers container. See Changing the Default Container for Computers for more information on the default Computers container and how to change it.

Using a command-line interface

The netdom command will attempt to create a computer object for the computer during a join if one does not already exist. An optional /OU switch can be added to specify the OU in which to create the computer object.

You can unjoin a computer from a domain at the command line by using unjoin.exe, another free download from the joeware website. unjoin.exe will not remove the computer account from the Active Directory domain; it will merely change the domain membership locally on the machine itself.

See Also

Add-Computer cmdlet reference

Moving a Computer Within the Same Domain

Problem

You want to move a computer object to a different container or OU within the same domain.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in (dsa.msc).

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, right-click on the domain and select Find.

  4. Beside Find, select Computers.

  5. Type the name of the computer and click Find Now.

  6. In the Search Results window, right-click on the computer and select Move.

  7. Browse to and select the new parent container or OU.

  8. Click OK.

Note

You can also use drag-and-drop functionality to move computers and other objects.

Using a command-line interface

You can move a computer object to a new container using the built-in DSMove utility or AdMod. To use DSMove, enter the following syntax:

> dsmove "<ComputerDN>" -newparent "<NewParentDN>"

To move a computer object using AdMod, use the following:

> admod -b "<ComputerDN>" -move "<NewParentDN>"

Using PowerShell

To move an Active Directory computer account using PowerShell, use the following syntax:

Move-ADObject -Identity "<ComputerDN>" -TargetPath "<NewParentDN>"

Discussion

You can move computer objects around a domain without much impact on the computer itself. You just need to be cautious of the security settings on the new parent OU, which may impact a user’s ability to manage the computer object in Active Directory. Also, if GPOs are used differently on the new parent, it could impact booting and logon times, and how the computer’s operating system behaves after a user has logged on.

See Also

Moving an Object to a Different OU or Container for moving an object to a different OU; Moving a Computer to a New Domain for moving a computer to a different domain

Moving a Computer to a New Domain

Problem

You want to move a computer object to a different domain.

Solution

Using a graphical user interface (ADMT 3.2)

To migrate a computer object between domains, use the following steps:

  1. Open the ADMT MMC snap-in (migrator.msc).

  2. Right-click on the Active Directory Migration Tool folder and select the Computer Migration Wizard.

  3. On the Welcome screen, click Next.

  4. On the Domain Selection page, enter the DNS or NetBIOS name of the source and target domains. Click Next.

  5. On the Computer Selection Option screen, select the option to select the computer from the domain and then click Next.

  6. On the Computer Selection screen, click Add and use the object picker to select a computer object. Click OK to return to the Computer Selection screen and then click Next.

  7. On the Organizational Unit Selection screen, enter the destination OU in the new domain and then click Next.

  8. On the Translate Objects screen, specify which objects should have new ACLs applied in the new domain. Select any, none, or all of the following, and then click Next to continue:

    • Files and folders

    • Local groups

    • Printers

    • Registry

    • Shares

    • User profiles

    • User rights

  9. On the Computer Options screen, click Next to maintain the default reboot time of 5 minutes.

  10. On the Object Property Exclusion screen, select any object properties that you do not want to migrate and then click Next.

  11. On the Conflict Management screen, click Next to accept the default, which will not migrate the computer if there is a conflict.

  12. On the Completing the Computer Migration Wizard screen, review the migration settings and then click Finish to complete the move.

Using a command-line interface

The following command migrates a computer object from the adatum.com domain to the emea.adatum.com domain. It will place the migrated object in the Finance OU and will wait two minutes before rebooting the target computer:

ADMT COMPUTER /IF /N "FIN101-A" "FIN101-A" /SD:"adatum.com"↵
/TD:"emea.adatum.com"
/TO:"Finance" /RDL:2

Discussion

You can move objects between domains assuming you follow a few guidelines:

  • The user requesting the move must have permission to modify objects in the parent container of both domains.

  • You should explicitly specify the target DC (serverless binds usually do not work). This is necessary because the Cross Domain Move LDAP control is being used behind the scenes. (For more information on controls, see Using LDAP Controls.)

  • The move operation must be performed against the RID master for both domains. This is done to ensure that two objects that are being moved simultaneously don’t somehow get assigned the same RID.

Renaming a Computer

Problem

You want to rename a computer.

Solution

Using a graphical user interface (steps specific to Windows 7, Windows 8, and Windows Server 2012)

  1. Log on to the computer either directly or with a remote console application, such as Remote Desktop Connection.

  2. Open the Control Panel and double-click on the System applet.

  3. In the “Computer name, domain, and workgroup settings section,” click the Change Settings button.

  4. On the Computer Name tab, click Change.

  5. Under Computer Name, type the new name of the computer and click OK until you are out of the System applet.

  6. Reboot the computer.

Using a command-line interface

You can rename a computer object by using the built-in netdom utility with the following syntax:

> netdom renamecomputer <ComputerName> /NewName <NewComputerName>↵
/UserD<DomainUserUPN> /PasswordD * /UserO <ComputerAdminUser> /PasswordO *↵
 /Reboot

Using PowerShell

You can rename a computer by using PowerShell. After running the following command on the computer that will be renamed, reboot the computer to complete the process.

Rename-Computer <NewComputerName>

Discussion

Renaming a computer consists of two operations: renaming the computer object in Active Directory and renaming the hostname on the machine itself. To do it in one step—an option that each of the three solutions offers—you must have permission in Active Directory to rename the account and administrator permissions on the target machine. For the rename operation to be complete, you must reboot the computer.

Warning

In some cases, renaming a computer can adversely affect services running on the computer. For example, you cannot rename a machine that is a domain controller, Exchange Server, or a Windows Certificate Authority without taking additional (and often significant) steps and precautions.

Using a graphical user interface

After you rename the computer, you will be prompted to reboot. You can cancel if necessary, but you’ll need to reboot at some point to complete the rename operation.

Using a command-line interface

The renamecomputer option in netdom can run remotely and includes a /Reboot switch that allows you to automatically reboot the computer after the rename is complete.

See Also

Renaming an Object for renaming objects; “Netdom renamecomputer”

Adding or Removing a Computer Account from a Group

Problem

You want to add or remove a computer account from an Active Directory security group.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in (dsa.msc).

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, browse to the parent container of the objects you want to modify.

  4. In the right pane, highlight each object you want to modify, right-click, and select Properties.

  5. On the “Member of” tab, click Add.

  6. Click the group to which you want to add the computer, and then click Add. To add the computer to more than one group, press Ctrl while selecting the groups you want to add the computer to, and then click Add.

  7. To remove a group, select the group object and click Remove.

  8. Click OK to finish.

Using a command-line interface

To add a computer object to a group, use the following syntax:

> admod -b "<GroupDN>" member:+:"<ComputerDN>"

Note

To remove an object, replace :+: with :-: in the previous syntax.

Using PowerShell

To add a computer account to a group using PowerShell, use the following syntax:

Add-ADGroupMember -Identity "<GroupDN>" -Members "<ComputerDN>"

Discussion

In Active Directory, both user and computer objects are security principals that can be assigned rights and permissions in a domain. As such, computer objects can be added to or removed from group objects to make for simpler resource administration. You can make this change through ADAC, ADUC, or ADSI Edit, or by manually editing the member attribute of the appropriate group object.

See Also

MSDN: NT-Group-Members attribute [AD Schema]; MSDN: Member Attribute [AD Schema]

Testing the Secure Channel for a Computer

Problem

You want to test the secure channel of a computer.

Solution

Using a command-line interface

> nltest /server:<ComputerName> /sc_query:<DomainName>

Using PowerShell

Test-ComputerSecureChannel -Server <ComputerName> -Verbose

Discussion

Every member computer in an Active Directory domain establishes a secure channel with a domain controller. The computer’s password is stored locally in the form of an LSA secret and in Active Directory. The NetLogon service uses this password to establish the secure channel with a domain controller. If for some reason the LSA secret and computer password become out of sync, the computer will no longer be able to authenticate in the domain. The nltest /sc_query command can query a computer to verify its secure channel is working. Here is sample output from the command when things are working:

Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \dc1.adatum.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

If a secure channel is failing, you’ll need to reset the computer as described in Resetting a Computer Account. Here is sample output when things are not working:

Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

Using PowerShell

If the –Verbose parameter is not specified, the command only returns True when the secure channel is working properly. By specifying verbose output, the command returns “The secure channel between ‘Client Computer’, ‘Domain Controller’, and ‘Domain Name’ is alive and working correctly.”

See Also

Resetting a Computer Account for resetting a computer

Resetting a Computer Account

Problem

You want to reset a computer because its secure channel is failing.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in (dsa.msc).

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, right-click on the domain and select Find.

  4. Beside Find, select Computers.

  5. Type the name of the computer and click Find Now.

  6. In the Search Results window, right-click on the computer and select Reset Account.

  7. Click Yes to confirm the reset.

  8. Click OK.

  9. Rejoin the computer to the domain.

Using a command-line interface

You can use the DSMod utility to reset a computer’s password. You will need to rejoin the computer to the domain after doing this:

> dsmod computer "<ComputerDN>" -reset

Another option is to use the netdom command, which can reset the secure channel between the computer and the domain controller without affecting the computer’s password, so that you do not need to rejoin it to the domain:

> netdom reset <ComputerName> /Domain <DomainName> /UserO <UserUPN> /PasswordO *

You can also use the nltest command to reset a secure channel using the following syntax:

> nltest /sc_reset:<DomainName><DCName>

Using PowerShell

To reset the local computer’s secure channel by using PowerShell, run the following command:

Test-ComputerSecureChannel -Repair

Discussion

When you’ve identified that a computer’s secure channel has failed, you’ll need to reset the computer object, which consists of setting the computer object password to the name of the computer. This is the default initial password for new computers. Every 30 days, Windows computers automatically change their passwords in the domain. After you’ve set the password, you’ll need to rejoin the computer to the domain since it will no longer be able to communicate with a domain controller due to unsynchronized passwords. However, the netdom reset command and the Test-ComputerSecureChannel command will try to reset the password both on the computer and in Active Directory, which will not necessitate rejoining it to the domain if successful.

From a practical standpoint, you should first attempt to reset the secure channel between the computer and the domain using the netdom, Test-ComputerSecureChannel, or nltest syntax, since doing so will not require you to unjoin and rejoin the computer to the domain; in particular, this will save you from performing the associated reboots involved with rejoining the domain. If resetting the secure channel does not correct the issue you’re facing, you can then resort to resetting the computer’s password.

A new utility from joe Richards, named MachinePwd, is another way to change computer passwords from the command line. See joeware for more detail.

See Also

Joining a Computer to a Domain for joining a computer to a domain

Finding Inactive or Unused Computers

Problem

You want to find inactive computer accounts in a domain.

Solution

Warning

These solutions might apply only to Windows-based machines. Other types of machines—for example, Unix, Mac, and Network Attached Storage (NAS)—that have accounts in Active Directory might not update their login timestamps or passwords, which are used to determine inactivity.

Using a command-line interface

The following query will locate all inactive computers in the current forest:

> dsquery computer forestroot -inactive <NumWeeks>

You can also use domainroot in combination with the -d option to query a specific domain:

> dsquery computer domainroot -d <DomainName> -inactive <NumWeeks>

Or you can target your query at a specific container:

> dsquery computer ou=MyComputers,dc=adatum,dc=com -inactive <NumWeeks>

You can also use the OldCmp joeware utility to create a report of all computer accounts whose passwords are older than a certain number of days (90 by default) by using the following syntax:

> oldcmp -report

Note

To specify an alternate password age with oldcmp, use the –age x switch. You can also use the –llts switch to use the lastLogonTimeStamp attribute to perform the age calculations. (Without this switch, oldcmp will use pwdLastSet by default, which will work against any version of Active Directory in any domain mode.)

Using PowerShell

You can also locate computers that have not been logged on to for a certain amount of time using PowerShell, as shown in the following example that finds computers that have not been logged on to in 60 days:

$DaysSince = (Get-Date).AddDays(-60)
Get-ADComputer -Filter * -Properties LastLogonDate | Where-Object {($_.LastLogonDate -le $DaysSince) -and ($_.Enabled -eq $True) -and ($_.LastLogonDate -ne $NULL)} | Select Name,LastLogonDate

Discussion

Using a command-line interface

The dsquery computer command is very handy for finding inactive computers that have not logged in to the domain for a number of weeks or months. You can pipe the results of the query to the dsrm command-line utility if you want to remove the inactive computer objects from Active Directory in a single command.

You can also use OldCmp to disable inactive accounts, and then either delete them or move them to an alternate OU. OldCmp has a number of safeties built into the utility to prevent you from deleting a large number of computer accounts without meaning to. For example, OldCmp will not delete an account unless it has first been disabled, it will not modify more than 10 objects at a time unless you manually specify a higher limit, and it simply will not do anything at all to a domain controller computer account under any circumstances. Unless you have a requirement for quickly removing unused computer objects, we’d recommend allowing them to remain inactive for at least three months before removing them. If you don’t really care when the objects get removed, use a year (i.e., 52 weeks) to be on the safe side.

See Also

Preventing a User’s Password from Expiring for finding users whose passwords are about to expire; “Find Inactive Users using Powershell” (can be used with the -computersonly switch)

Changing the Maximum Number of Computers a User Can Join to the Domain

Problem

You want to grant users the ability to join more or fewer than 10 computers to a domain. This limit is called the machine account quota.

Solution

Using a graphical user interface

  1. Open the ADSI Edit MMC snap-in (adsiedit.msc) and connect to the Domain Naming Context.

  2. Right-click on the domainDNS object for the domain you want to change and select Properties.

  3. Edit the ms-DS-MachineAccountQuota attribute and enter the new quota value.

  4. Click OK twice.

Using a command-line interface

In the following LDIF code, replace <DomainDN> with the distinguished name of the domain you want to change, and replace <Quota> with the new machine account quota:

dn: <DomainDN>
changetype: modify
replace: ms-DS-MachineAccountQuota
ms-DS-MachineAccountQuota: <Quota>
-

If the LDIF file was named change_computer_quota.ldf, you would then run the following command:

> ldifde -v -i -f change_computer_quota.ldf

You can also make this change using AdMod, as follows:

> admod -b <DomainDN> ms-DS-MachineAccountQuota::<Quota>

Using PowerShell

You can modify the MachineAccountQuota attribute using PowerShell, as follows:

Set-ADDomain -Identity <DomainName> -Replace @{"ms-DS-MachineAccountQuota"="<NewQuota>"}

Discussion

In a default Active Directory installation, members of the Authenticated Users group can add and join up to 10 computer accounts in the default Computers container. The number of computer accounts that can be created is defined in the attribute ms-DS-MachineAccountQuota on the domainDNS object for a domain. The default setting is 10, but you can easily change that to whatever number you want, including 0, via the methods described in this recipe. If you set it to 0, users have to be granted explicit permissions in Active Directory to join computers; refer to Joining a Computer to a Domain for instructions on granting these permissions.

Another method for granting users the right to add computer objects, although not recommended, is via Group Policy. If you grant the “Add workstation to domain” right via Computer Configuration→Windows Settings→Security Settings→Local Policies→User Rights Assignment on a GPO that’s been linked to the Domain Controllers OU, then users will be able to create computer accounts even if they do not have create child permissions on the default Computers container. This is a holdover from Windows NT to maintain backward compatibility and should not be used unless absolutely necessary. In fact, a good security best practice would be to remove this user right from any user or group objects that do not require it.

See Also

Joining a Computer to a Domain for permissions needed to join computers to a domain; MS KB 251335 (Domain Users Cannot Join Workstation or Server to a Domain); “Default limit to number of workstations a user can join to the domain”

Modifying the Attributes of a computer Object

Problem

You want to modify one or more attributes of a computer object.

Solution

Using a graphical user interface

  1. Open the Active Directory Administrative Center.

  2. In the right pane, enter the name of the computer in the Global Search box, select the desired domain in the scope, and then click the search icon.

  3. In the search results, double-click the name of the computer to open the computer properties.

  4. Scroll down to the Extension section and then click the Attribute Editor tab.

  5. Click the attribute that you want to modify and then click the Edit button.

  6. Modify or set the desired value for the attribute and then click OK.

  7. Click OK to finalize the attribute change.

Using a command-line interface

Create an LDIF file called modify_object.ldf with the following contents:

dn: <ComputerDN>
changetype: modify
add: <AttributeName><AttributeName>: <AttributeValue>
-

Then run the following command:

> ldifde -v -i -f modify_object.ldf

To modify an object using AdMod, you’ll use the following general syntax:

> admod -b <ComputerDN> <attribute>:<operation>:<value>

For example, you can add a location to a computer object using the following syntax:

> admod -b cn="Fin101,cn=Computers,dc=adatum,dc=com" location::"Berlin, Germany"

Using PowerShell

The Set-ADComputer cmdlet allows you to set commonly used attributes by using the following syntax:

Set-ADComputer -Identity <ComputerDN> -<ObjectAttribute> "<Value>"

To set attributes that are not supported by the Set-ADComputer cmdlet natively, use the following syntax:

Set-ADComputer -Identity <ComputerDN> -Replace @{<ObjectAttribute>="<Value>"}

Discussion

Like all objects within Active Directory, computer objects have various attributes that can be queried, modified, and deleted during the day-to-day management of your domain. Because computer objects inherit from the user class, they include similar informational attributes to the user objects, as well as attributes that are specific to computer objects, including:

  • Location

  • Description

  • operatingSystemVersion

  • operatingSystemServicePack

  • sAMAccountName

  • pwdLastSet

  • primaryGroupID

Using PowerShell

See the full help file for the Set-ADComputer cmdlet to view the options and detailed usage of the Add, Replace, Clear, and Remove parameters.

See Also

Finding Inactive or Unused Computers for finding inactive or unused computers; Finding Computers with a Particular OS for finding computers with a particular OS; MSDN: Computer System Hardware Classes [WMI]

Finding Computers with a Particular OS

Problem

You want to find computers that have a certain OS version, release, or service pack in a domain.

Solution

Using a graphical user interface

You can perform this search using the Active Directory Users and Computers MMC snap-in, as follows:

  1. Open the ADUC MMC snap-in (dsa.msc).

  2. Right-click on the domain, OU, or container that you wish to search and click Find.

  3. In the Find drop-down box, select Computers.

  4. Click on the Advanced tab. Click on Field and select Operating System.

  5. Select the Condition that you want to search on from one of the following:

    • Starts with

    • Ends with

    • Is (exactly)

    • Is not

    • Present

    • Not present

  6. In the Value field, enter the value that you want to search for, such as “Windows Server 2012 Datacenter.”

  7. Click Find Now.

Using a command-line interface

You can query for computer objects of a particular operating system using either DSQuery or AdFind. To perform the query with DSQuery, use the following syntax:

> dsquery * <DomainDN> -scope subtree -attr "*" -filter "(&(↵
objectcategory=computer)(operatingSystem=Windows Server 2012 Datacenter))"

To use AdFind, enter the following:

> adfind -b <DomainDN> -f  "(&(objectcategory=computer) (operatingSystem=Windows Server 2012 Datacenter))"

Using PowerShell

To search for computers based on operating system version using PowerShell, use the get-ADComputer cmdlet. The following example finds all computers that are running Windows Server 2012 Datacenter without regard for the service pack level:

Get-ADComputer -Filter {OperatingSystem -eq "Windows Server 2012 Datacenter"} | Select Name

The following example searches for all computers that are running Windows Server 2008 R2 Enterprise with Service Pack 1:

Get-ADComputer -Filter {OperatingSystem -eq "Windows Server 2008 R2 Enterprise" -and OperatingSystemVersion -eq "6.1 (7601)"} | Select Name

Discussion

When a computer joins an Active Directory domain, the operating system attributes are updated for the computer object. There are three of these attributes, which can be used in queries to find computers that match certain OS-specific criteria, such as service pack level.

These attributes include the following:

operatingSystem

Descriptive name of the installed operating system—for example, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012. The values of this attribute sometimes include special characters such as the copyright symbol, which makes this attribute a poor choice for searching. However, if you know the descriptive name, it can still be a logical choice in a filter.

operatingSystemVersion

Numerical representation of the operating system—for example, 6.1 (7601) and 6.2 (9200). The version corresponds to the current service pack level, if one is installed. For instance, 6.1 (7600) represents Windows Server 2008 R2 without a service pack, while 6.1 (7601) represents Windows Server 2008 R2 with Service Pack 1. Windows Server 2012 is represented by 6.2 (9200).

operatingSystemServicePack

Current service pack level if one is installed—for example, Service Pack 2 and Service Pack 3.

Note

This recipe typically applies only to Windows-based machines. Other types of machines (e.g., Unix) that have accounts in Active Directory might not automatically update their OS attributes, though some newer Unix or Linux-based NAS devices have been configured to do so.

Binding to the Default Container for Computers

Problem

You want to bind to the default container that new computer objects are created in.

Solution

Using a graphical user interface

  1. Open LDP.

  2. From the menu, select Connection→Connect.

  3. For Server, enter the name of a domain controller (or leave it blank to do a serverless bind).

  4. For Port, enter 389.

  5. Click OK.

  6. From the menu, select Connection→Bind.

  7. Enter the credentials of a domain user or accept the default setting and bind as the currently logged on user.

  8. Click OK.

  9. From the menu, select View→Tree.

  10. For the DN, enter:

    <WKGUID=aa312825768811d1aded00c04fd8d5cd,<DomainDN>>

    where <DomainDN> is the distinguished name of a domain.

  11. Click OK.

  12. In the lefthand menu, you can now browse the default Computers container for the domain.

Using a command-line interface

By default, all computer objects created in an Active Directory domain are placed into the built-in Computers container. This default container has a significant limitation, in that you are unable to link Group Policy Objects (GPOs) to the built-in container. If you have one or more GPOs that you wish to apply to all computer objects in your domain, you should modify the default location for computer accounts in AD. You can use the redircmp utility to change this default location, as we will discuss in Changing the Default Container for Computers.

Using PowerShell

$strDomain = "<DomainDNSName>"

Set-Variable ADS_GUID_COMPUTERS_CONTAINER aa312825768811d1aded00c04fd8d5cd

$rootDSE = [ADSI]("LDAP://" + $strDomain + "/RootDSE")
$container = [ADSI]("LDAP://<WKGUID=" + $ADS_GUID_COMPUTERS_CONTAINER + "," +
$rootDSE.defaultNamingContext + ">")
$container.distinguishedName

Discussion

In much the same way that the TCP/IP protocol defines a list of well-known ports that are commonly used by industry applications (TCP ports 20 and 21 for FTP, TCP port 80 for HTTP, and so on), Active Directory defines Well-Known GUIDs that map to container objects that are present in every AD installation. The Domain NC defines the following WKGUIDs:

  • Users

  • Computers

  • System

  • Domain Controllers

  • Infrastructure

  • Deleted Objects

  • Lost and Found

The Configuration NC also defines its own Deleted Objects WKGUID.

For example, the default Computers container has the following WKGUID:

aa312825768811d1aded00c04fd8d5cd

You can use the GUID to bind to the default Computers container in the domain using the following ADsPath:

LDAP://<WKGUID=aa312825768811d1aded00c04fd8d5cd,dc=apac,dc=adatum,dc=com>

The list of well-known objects for a domain is contained in the wellKnownObjects attribute of the domainDNS object for the domain. The wellKnownObjects attribute is multivalued with DNWithBinary syntax. The following is an example of what that attribute looks like for the adatum.com domain:

B:32:AA312825768811D1ADED00C04FD8D5CD:cn=Computers,dc=adatum,dc=com;
B:32:F4BE92A4C777485E878E9421D53087DB:cn=Microsoft,cn=Program
Data,dc=adatum,dc=com;
B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:cn=Program Data,dc=adatum,dc=com;
B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:
cn=ForeignSecurityPrincipals,dc=adatum,dc=com;
B:32:18E2EA80684F11D2B9AA00C04F79F805:cn=Deleted Objects,dc=adatum,dc=com;
B:32:2FBAC1870ADE11D297C400C04FD8D5CD:cn=Infrastructure,dc=adatum,dc=com;
B:32:AB8153B7768811D1ADED00C04FD8D5CD:cn=LostAndFound,dc=adatum,dc=com;
B:32:AB1D30F3768811D1ADED00C04FD8D5CD:cn=System,dc=adatum,dc=com;
B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:ou=Domain Controllers,dc=adatum,dc=com;
B:32:A9D1CA15768811D1ADED00C04FD8D5CD:cn=Users,dc=adatum,dc=com;

Each value has the format of:

B:NumberofBytes:GUID:DistinguishedName

As you can see, the GUID for the first value is the same as the one we used in the ADsPath earlier to bind to the default Computers container.

See Also

Changing the Default Container for Computers for changing the default Computers container; MSDN: Binding to Well-Known Objects Using WKGUID

Changing the Default Container for Computers

Problem

You want to change the container that computers are created in by default.

Solution

Using a graphical user interface

  1. Open LDP.

  2. From the menu, select Connection→Connect.

  3. For Server, enter the name of a domain controller (or leave it blank to do a serverless bind).

  4. For Port, enter 389.

  5. Click OK.

  6. From the menu, select Connection→Bind.

  7. Enter the credentials of a domain user.

  8. Click OK.

  9. From the menu, select Browse→Modify.

  10. For DN, enter the distinguished name of the domainDNS object of the domain you want to modify.

  11. For Attribute, enter wellKnownObjects.

  12. For Values, enter the following:

    B:32:AA312825768811D1ADED00C04FD8D5CD:cn=Computers,<DomainDN>

    where <DomainDN> is the same as the DN you enter for the DN field.

  13. Select Delete for the Operation and click the Enter button.

  14. Go back to the Values field and enter the following:

    B:32:AA312825768811D1ADED00C04FD8D5CD:<NewComputersParent>,<DomainDN>

    where <NewComputersParent> is the new parent container for new computer objects (e.g., ou=Adatum Computers).

  15. Select Add for the Operation and click the Enter button.

  16. Click the Run button.

The result of the operations will be displayed in the right pane of the main LDP window.

Using a command-line interface

> redircmp "<NewParentDN>"

Discussion

Many Active Directory administrators do not use the Computers container within the Domain Naming context as their primary computer repository. One reason is that since it is a container and not an OU, you cannot apply Group Policy Objects to it. If you have another location where you store computer objects, you might want to consider changing the default container used to bind to the Computers container by changing the well-known objects attribute, as shown in this recipe. This can be beneficial if you want to ensure computers cannot sneak into Active Directory without having the appropriate group policies applied to them. While you can also apply GPOs at the site or the domain level, forcing new computers into a particular organizational unit ensures that those computers receive the Group Policy settings that you want them to receive through GPOs linked at the OU level. However, this does not protect you from an administrator (whether intentionally or accidentally) explicitly creating a computer object in the incorrect OU; this only protects you from applications or utilities that do not allow or do not require you to specify an OU when creating the computer.

Note

See Binding to the Default Container for Computers for more information on how well-known objects are specified in Active Directory.

Listing All the Computer Accounts in a Domain

Problem

You want to obtain a list of all computer accounts in an Active Directory domain.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers MMC snap-in.

  2. Right-click on the domain node and select Find.

  3. In the Find drop-down box, select Computers and click Find Now.

    All computer objects in the domain will be displayed in the Search Results window.

Using a command-line interface

> adfind -default -f objectCategory=computer

Using PowerShell

You can obtain a listing of computer accounts using PowerShell, as shown in the following two examples:

Get-ADComputer -Filter * | Select Name

or

Get-ADObject -Filter {objectCategory -eq "Computer"} | Select Name

Discussion

Using PowerShell

The Get-ADComputer cmdlet simplifies the process of finding computers by removing the need to know about the object class and object category. However, both methods end up with the exact same results.

See Also

Get-ADComputer cmdlet reference; MSDN: Object Class and Object Category [Active Directory]; MSDN: Object-Class Attribute [AD-Schema]

Identifying a Computer Role

Problem

You want to identify the role that a particular computer serves in an Active Directory domain.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers MMC snap-in (dsa.msc).

  2. Right-click on the domain node and select Find.

  3. In the Find drop-down box, select Computers and click Find Now.

    The role of each computer will be displayed in the Machine Role column in the Search Results window.

Using a command-line interface

> wmic computersystem get domainrole

For a domain controller that holds the PDC Emulator FSMO role, this will return the following output:

DomainRole
5

Note

For a DC that doesn’t hold the PDCe FSMO, this command will return a value of 4.

Using PowerShell

Get-WmiObject Win32_ComputerSystem -ComputerName <ComputerFQDN> -Property Name,DomainRole

Discussion

The DomainRole attribute returns a numeric value that identifies the role, as shown in the following list:

  • 0 is a standalone workstation.

  • 1 is a member workstation.

  • 2 is a standalone server.

  • 3 is a member server.

  • 4 is a backup domain controller.

  • 5 is a primary domain controller.

Using a command-line interface

WMIC is the command-line component of the Windows Management Instrumentation that uses aliases to enable you to easily access WMI namespaces from the command line. To run wmic against a remote computer, specify the /node:"<ComputerFQDN>" switch.

Protecting a Computer Against Accidental Deletion

Problem

You want to prevent a computer object from being accidentally deleted by an administrator who selects the incorrect option in Active Directory Users and Computers.

Solution

Using a graphical user interface (steps specific to Windows Server 2008 and later)

  1. Open Active Directory Users and Computers. Click on View and confirm that Advanced Features is selected.

  2. Drill down to the current domain. To connect to a different domain, right-click on the top-level node and click “Change domain”; select the appropriate domain and then drill down to it.

  3. Right-click on the computer that you want to modify and click Properties.

  4. Click on the Object tab.

  5. Place a checkmark next to “Protect object from accidental deletion.”

  6. Click OK.

Using a command-line interface (all versions)

dsacls <Computer DN> /d EVERYONE:SDDT

Using PowerShell (all versions)

Set-ADObject -Identity "<Computer DN>" -ProtectedFromAccidentalDeletion $True

Discussion

By default, all new OUs that are created in Windows Server 2008 and later will have this protection enabled; however, no other object types are configured with this default protection. If you attempt to delete a computer object that is protected using this option, even when signed on as a Domain Admin or other similarly elevated account, you will receive an “Access Denied” message until you manually remove the checkbox or manually remove the deny ACE associated with it.

Using the command-line or PowerShell method, you can apply this protection to group objects in all versions of Windows Server, even though the GUI checkbox is available only in Windows Server 2008 and later.

Viewing the RODCs That Have Cached a Computer’s Password

Problem

You wish to view the RODCs that have cached a computer account’s password secrets.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in (dsa.msc).

  2. Click View→Advanced Features. In the left pane, right-click on the domain and select Find.

  3. In the Find drop-down box, select Computers. Select the appropriate domain.

  4. Beside Name, type the name of the computer account and click Find Now.

  5. In the Search Results window, double-click on the computer.

  6. Select the Attribute Editor tab. Click Filter and ensure that there is a checkmark next to Backlinks.

  7. Scroll to the msDS-RevealedDSAs attribute to view a list of RODCs that have cached this computer’s password secrets.

  8. Click OK.

Using a command-line interface

> adfind -b <ComputerDN> msDS-RevealedDSAs

Using PowerShell

Get-ADComputer -Identity "<UserDN>" -Properties "msDS-RevealedDSAs" | FL msDS-RevealedDSAs

Discussion

As discussed in Chapter 3, Windows Server 2008 introduced the Read-Only Domain Controller (RODC) to improve the security of branch office and other remote environments. One of the security measures introduced by the RODC is the Password Replication Policy (PRP), which specifies a list of users, computers, and groups that can and cannot have their password secrets cached on one or more DCs. Each RODC maintains a forward-link attribute called msDS-RevealedUsers, which lists the user and computer accounts for whom each RODC has cached password secrets. Each computer account, in turn, maintains a backlink called msDS-RevealedDSAs. This backlink can be queried to determine which RODCs have stored password information for a particular user account; however, like all backlinks, this attribute cannot be modified directly.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.107.40