As far as Active Directory is concerned, computers are very similar
to users. In fact, computer
objects
inherit directly from the user
object
class, which is used to represent user accounts. This means that computer
objects possess all of the attributes
of user
objects and then some.
Computers need to be represented in Active Directory for many of the same
reasons users do, including the need to access resources securely, utilize
GPOs, and have permissions assigned to them.
To participate in a domain, computers need a secure
channel to a domain controller. A secure channel is an
authenticated connection that can transmit encrypted data. To set up the
secure channel, a computer must present a password to a domain controller.
Similar to the way in which it authenticates a user account, Active
Directory will use Kerberos authentication to verify the identity of a
computer account. Without the computer
object and, by association, the password stored with it that the operating
system changes behind the scenes on a regular basis, there would be no way
for the domain controller to verify a computer is what it claims to
be.
The default location for computer
objects in a domain is the cn=Computers
container located directly off
the domain root. You can, however, create computer
objects anywhere in a domain. You can
also modify the default location for computer
objects as described in Modifying the Attributes of a computer Object. Table 8-1 contains a list of some of
the interesting attributes that are available on computer
objects.
Table 8-1. Attributes of computer objects
Attribute | Description |
---|---|
| Relative distinguished
name of |
| Fully qualified DNS name of the computer. |
| The approximate timestamp of the last time the computer logged in to the domain. |
| The distinguished name (DN) of the user or group that manages the computer. |
| List of DNs of the groups the computer is a member of. |
| This attribute was introduced in Windows Server 2008. It is a backlink attribute that identifies users who have successfully authenticated to a full DC via a particular RODC. |
| This attribute was introduced in Windows Server 2012. It indirectly identifies the primary user of a computer. |
| This attribute was introduced in Windows Server 2008. It identifies the list of users and computers whose secrets have been replicated to an RODC. |
| Text description of the operating system running on the computer. See Finding Computers with a Particular OS for more information. |
| Currently not being used, but will hopefully be populated at some point. |
| Service pack version installed on the computer. See Finding Computers with a Particular OS for more information. |
| Numeric version of the operating system installed on the computer. See Finding Computers with a Particular OS for more information. |
| Large integer that can be translated into the last time the computer’s password was set. See Resetting a Computer Account for more information. |
| NetBIOS-style name of the
computer. This is typically the name of the computer with a
|
| Account flag that defines
various account properties. In the case of a |
You can create a computer
object using either the built-in DSAdd utility or AdMod. To create an
account using DSAdd, use the following syntax:
> dsadd computer "<ComputerDN>
" -desc "<Description>
"
To create a computer account using AdMod, enter the following:
> admod -b "<ComputerDN>
" objectclass::computer↵ sAMAccountName::<ComputerName>
$ userAccountControl::4096↵ description::"<Description>
" -add
Creating a computer
object in
Active Directory is not much different from creating a user
object. We set the description
attribute in the CLI solutions,
but it is not a mandatory attribute. The only mandatory attribute is
sAMAccountName
, which should be set
to the name of the computer with a $
appended. Note that ADAC and ADUC will both populate the sAMAccountName
automatically based on the name
given to the computer during the creation process. Also note that these
solutions simply create a computer
object. This does not mean any user can join a computer to the domain
with that computer account. For more information on creating a computer
object and allowing a specific user
or group to join the computer to the domain, see Creating a Computer for a Specific User or Group.
Creating a Computer for a Specific User or Group for creating a computer for a user; “New-ADComputer”; MSDN: ADS_USER_FLAG_ENUM
You want to create a computer account for a specific user or group to join to the domain. This requires setting permissions on the computer account so that the user or group can modify certain attributes.
In the left pane, click to highlight the desired domain.
In the right pane, click New and then click Computer.
Type a name for the computer and fill in the desired optional fields.
In the top-right corner of the Computer section, click the Change button near the text that says, “The above user or group can join this computer to a domain.”
Use the Object Picker to select a user or group to join the computer to the domain and then click OK.
Click OK to create the computer
object.
In the following solution, replace
<ComputerDN>
with the distinguished
name of the computer
object and
<UserOrGroup>
with the user principal
name or NT-style name of a user or group you want to manage the
computer:
> dsadd computer<ComputerDN>
> dsacls<ComputerDN>
/G<UserOrGroup>
:CALCGRSDDTRC;; > dsacls<ComputerDN>
/G<UserOrGroup>
:WP;description; > dsacls<ComputerDN>
/G<UserOrGroup>
:WP;sAMAccountName; > dsacls<ComputerDN>
/G<UserOrGroup>
:WP;displayName; > dsacls<ComputerDN>
/G<UserOrGroup>
:WP;userAccountControl; > dsacls<ComputerDN>
/G<UserOrGroup>
:WS;"Validated write to service↵ principalname"; > dsacls<ComputerDN>
/G<UserOrGroup>
:WS;"Validated write to DNS host name";
You can replace the first line of this code with the AdMod code from Creating a Computer if you choose.
By default, members of the Authenticated
Users group can join up to 10 computers to an Active
Directory domain. If you’ve modified this default behavior or need to
allow a user to add computers to the domain on a regular basis, you need
to grant certain permissions so that the user has rights to modify the
computer
object. When you create a
computer via ADAC or the ADUC snap-in (dsa.msc),
you have the option to select a user or group to manage the computer
object and join a computer to the
domain using that object. When you use that method, eight ACEs are added
to the ACL of the computer
object. They are:
List Contents, Read All Properties, Delete, Delete Subtree, Read Permissions, All Extended Rights (i.e., Allowed to Authenticate, Change Password, Send As, Receive As, Reset Password)
Write Property for description
Write Property for sAMAccountName
Write Property for displayName
Write Property for Logon Information
Write Property for Account Restrictions
Validated write to DNS hostname
Validated write for service principal name
If you want to modify the default permissions that are applied
when you select a user or group through the GUI, double-click on the
computer
object after you’ve
created it and go to the Security tab. For the Security tab to be
visible, you have to select View→Advanced Features.
With the dsacls utility, you can specify
either a UPN (user@domain
) or a
down-level-style (DOMAINuser
) account name
when applying permissions. Also, dsacls requires
that the displayName
of the
attribute, property set, or extended right you are setting the
permission on be used instead of the lDAPDisplayName
, as you might expect. That
is why we had to use “Validated write to service principal name,”
which is the displayName
for the
Validated-SPN controlAccessRight
object, with the ACE for the SPN-validated write.
dsacls is also case-sensitive, so be sure to
specify the correct case for the words in the displayName
.
Creating a Computer for creating a computer account
In the right pane, type the name of the computer in the Global Search box, select the desired domain in the scope, and then click the search icon.
In the search results, right-click the name of the computer and then click Delete.
In the Delete Confirmation dialog box, click Yes to complete
the deletion of the computer
object.
You want to join a computer to a domain after the computer
object has already been created in
Active Directory.
Log on to the computer that you want to join to the domain, and then open the Control Panel.
Open the System applet.
In the “Computer name, domain, and workgroup settings section,” click “Change settings.”
Click the Change button.
Under “Member of,” select Domain.
Enter the domain name that you want to join and click OK.
You may be prompted to enter credentials in order to join the computer to the domain.
When trying to add a computer to Active Directory, either you can
pre-create the computer
object as described in
Recipes and before joining it to the domain, or
you can perform both operations at the same time.
If you have the correct permissions in Active Directory, you can
actually create a computer
object
at the same time as you join it to a domain via the instructions
described in the GUI solution. Since the System applet doesn’t allow
you to specify an OU for the computer
object, if it needs to create a
computer
object it will do so in
the default Computers
container.
See Changing the Default Container for Computers for more
information on the default Computers
container and how to change
it.
The netdom
command will
attempt to create a computer
object
for the computer during a join if one does not already exist. An
optional /OU
switch can be added to
specify the OU in which to create the computer
object.
You can unjoin a computer from a domain at the command line by using unjoin.exe, another free download from the joeware website. unjoin.exe will not remove the computer account from the Active Directory domain; it will merely change the domain membership locally on the machine itself.
Add-Computer
cmdlet reference
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Beside Find, select Computers.
Type the name of the computer and click Find Now.
In the Search Results window, right-click on the computer and select Move.
Browse to and select the new parent container or OU.
Click OK.
You can also use drag-and-drop functionality to move computers and other objects.
You can move computer
objects
around a domain without much impact on the computer itself. You just
need to be cautious of the security settings on the new parent OU, which
may impact a user’s ability to manage the computer
object in Active Directory. Also, if
GPOs are used differently on the new parent, it could impact booting and
logon times, and how the computer’s operating system behaves after a
user has logged on.
Moving an Object to a Different OU or Container for moving an object to a different OU; Moving a Computer to a New Domain for moving a computer to a different domain
To migrate a computer
object
between domains, use the following steps:
Open the ADMT MMC snap-in (migrator.msc).
Right-click on the Active Directory Migration Tool folder and select the Computer Migration Wizard.
On the Welcome screen, click Next.
On the Domain Selection page, enter the DNS or NetBIOS name of the source and target domains. Click Next.
On the Computer Selection Option screen, select the option to select the computer from the domain and then click Next.
On the Computer Selection screen, click Add and use the
object picker to select a computer
object. Click OK to return to
the Computer Selection screen and then click Next.
On the Organizational Unit Selection screen, enter the destination OU in the new domain and then click Next.
On the Translate Objects screen, specify which objects should have new ACLs applied in the new domain. Select any, none, or all of the following, and then click Next to continue:
Files and folders
Local groups
Printers
Registry
Shares
User profiles
User rights
On the Computer Options screen, click Next to maintain the default reboot time of 5 minutes.
On the Object Property Exclusion screen, select any object properties that you do not want to migrate and then click Next.
On the Conflict Management screen, click Next to accept the default, which will not migrate the computer if there is a conflict.
On the Completing the Computer Migration Wizard screen, review the migration settings and then click Finish to complete the move.
The following command migrates a computer
object from the
adatum.com domain to the
emea.adatum.com domain. It will place the
migrated object in the Finance OU and will wait two minutes before
rebooting the target computer:
ADMT COMPUTER /IF /N "FIN101-A" "FIN101-A" /SD:"adatum.com"↵ /TD:"emea.adatum.com" /TO:"Finance" /RDL:2
You can move objects between domains assuming you follow a few guidelines:
The user requesting the move must have permission to modify objects in the parent container of both domains.
You should explicitly specify the target DC (serverless binds usually do not work). This is necessary because the Cross Domain Move LDAP control is being used behind the scenes. (For more information on controls, see Using LDAP Controls.)
The move operation must be performed against the RID master for both domains. This is done to ensure that two objects that are being moved simultaneously don’t somehow get assigned the same RID.
Using LDAP Controls for more on LDAP controls; MSDN: IADsContainer::MoveHere; “Active Directory Migration Tool (ADMT) Guide: Migrating and Restructuring Active Directory Domains”
Log on to the computer either directly or with a remote console application, such as Remote Desktop Connection.
Open the Control Panel and double-click on the System applet.
In the “Computer name, domain, and workgroup settings section,” click the Change Settings button.
On the Computer Name tab, click Change.
Under Computer Name, type the new name of the computer and click OK until you are out of the System applet.
Reboot the computer.
Renaming a computer consists of two operations: renaming the
computer
object in Active Directory
and renaming the hostname on the machine itself. To do it in one step—an
option that each of the three solutions offers—you must have permission
in Active Directory to rename the account and administrator permissions
on the target machine. For the rename operation to be complete, you must
reboot the computer.
In some cases, renaming a computer can adversely affect services running on the computer. For example, you cannot rename a machine that is a domain controller, Exchange Server, or a Windows Certificate Authority without taking additional (and often significant) steps and precautions.
After you rename the computer, you will be prompted to reboot. You can cancel if necessary, but you’ll need to reboot at some point to complete the rename operation.
Renaming an Object for renaming objects; “Netdom renamecomputer”
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container of the objects you want to modify.
In the right pane, highlight each object you want to modify, right-click, and select Properties.
On the “Member of” tab, click Add.
Click the group to which you want to add the computer, and then click Add. To add the computer to more than one group, press Ctrl while selecting the groups you want to add the computer to, and then click Add.
To remove a group, select the group
object and click Remove.
Click OK to finish.
In Active Directory, both user
and computer
objects are security
principals that can be assigned rights and permissions in a domain. As
such, computer
objects can be added
to or removed from group
objects to
make for simpler resource administration. You can make this change
through ADAC, ADUC, or ADSI Edit, or by manually editing the member
attribute of the appropriate group
object.
Every member computer in an Active Directory domain establishes a
secure channel with a domain controller. The computer’s password is
stored locally in the form of an LSA secret and in Active Directory. The
NetLogon service uses this password to establish the secure channel with
a domain controller. If for some reason the LSA secret and computer
password become out of sync, the computer will no longer be able to
authenticate in the domain. The nltest
/sc_query
command can query a computer to verify its secure
channel is working. Here is sample output from the command when things
are working:
Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \dc1.adatum.com Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully
If a secure channel is failing, you’ll need to reset the computer as described in Resetting a Computer Account. Here is sample output when things are not working:
Flags: 0 Trusted DC Name Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS The command completed successfully
If the –Verbose
parameter is
not specified, the command only returns True
when the secure channel is working
properly. By specifying verbose output, the command returns “The
secure channel between ‘Client Computer’, ‘Domain Controller’, and
‘Domain Name’ is alive and working correctly.”
Resetting a Computer Account for resetting a computer
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Beside Find, select Computers.
Type the name of the computer and click Find Now.
In the Search Results window, right-click on the computer and select Reset Account.
Click Yes to confirm the reset.
Click OK.
Rejoin the computer to the domain.
You can use the DSMod utility to reset a computer’s password. You will need to rejoin the computer to the domain after doing this:
> dsmod computer "<ComputerDN>
" -reset
Another option is to use the netdom
command, which can reset the secure
channel between the computer and the domain controller without
affecting the computer’s password, so that you do not need to rejoin
it to the domain:
> netdom reset<ComputerName>
/Domain<DomainName>
/UserO<UserUPN>
/PasswordO *
You can also use the nltest
command to reset a secure channel using the following
syntax:
> nltest /sc_reset:<DomainName><DCName>
When you’ve identified that a computer’s secure channel has
failed, you’ll need to reset the computer
object, which consists of setting the
computer
object password to the name
of the computer. This is the default initial password for new computers.
Every 30 days, Windows computers automatically change their passwords in
the domain. After you’ve set the password, you’ll need to rejoin the
computer to the domain since it will no longer be able to communicate
with a domain controller due to unsynchronized passwords. However, the
netdom reset
command and the Test-ComputerSecureChannel
command will try to
reset the password both on the computer and in Active Directory, which
will not necessitate rejoining it to the domain if successful.
From a practical standpoint, you should first attempt to reset the
secure channel between the computer and the domain using the netdom
, Test-ComputerSecureChannel
, or nltest
syntax, since doing so will not require
you to unjoin and rejoin the computer to the domain; in particular, this
will save you from performing the associated reboots involved with
rejoining the domain. If resetting the secure channel does not correct
the issue you’re facing, you can then resort to resetting the computer’s
password.
A new utility from joe Richards, named MachinePwd, is another way to change computer passwords from the command line. See joeware for more detail.
Joining a Computer to a Domain for joining a computer to a domain
These solutions might apply only to Windows-based machines. Other types of machines—for example, Unix, Mac, and Network Attached Storage (NAS)—that have accounts in Active Directory might not update their login timestamps or passwords, which are used to determine inactivity.
The following query will locate all inactive computers in the current forest:
> dsquery computer forestroot -inactive <NumWeeks>
You can also use domainroot
in combination with the -d
option
to query a specific domain:
> dsquery computer domainroot -d<DomainName>
-inactive<NumWeeks>
Or you can target your query at a specific container:
> dsquery computer ou=MyComputers,dc=adatum,dc=com -inactive <NumWeeks>
You can also use the OldCmp joeware utility to create a report of all computer accounts whose passwords are older than a certain number of days (90 by default) by using the following syntax:
> oldcmp -report
To specify an alternate password age with oldcmp
, use the –age x
switch. You can also use the
–llts
switch to use the lastLogonTimeStamp
attribute to perform
the age calculations. (Without this switch, oldcmp
will use pwdLastSet
by default, which will work
against any version of Active Directory in any domain mode.)
You can also locate computers that have not been logged on to for a certain amount of time using PowerShell, as shown in the following example that finds computers that have not been logged on to in 60 days:
$DaysSince = (Get-Date).AddDays(-60) Get-ADComputer -Filter * -Properties LastLogonDate | Where-Object {($_.LastLogonDate -le $DaysSince) -and ($_.Enabled -eq $True) -and ($_.LastLogonDate -ne $NULL)} | Select Name,LastLogonDate
The dsquery computer
command
is very handy for finding inactive computers that have not logged in
to the domain for a number of weeks or months. You can pipe the
results of the query to the dsrm command-line
utility if you want to remove the inactive computer
objects from Active Directory in a
single command.
You can also use OldCmp to disable inactive accounts, and then
either delete them or move them to an alternate OU. OldCmp has a
number of safeties built into the utility to prevent you from deleting
a large number of computer accounts without meaning to. For example,
OldCmp will not delete an account unless it has first been disabled,
it will not modify more than 10 objects at a time unless you manually
specify a higher limit, and it simply will not do anything at all to a
domain controller computer account under any circumstances. Unless you
have a requirement for quickly removing unused computer
objects, we’d recommend allowing
them to remain inactive for at least three months before removing
them. If you don’t really care when the objects get removed, use a
year (i.e., 52 weeks) to be on the safe side.
Preventing a User’s Password from Expiring for
finding users whose passwords are about to expire; “Find Inactive Users using
Powershell” (can be used with the -computersonly
switch)
You want to grant users the ability to join more or fewer than 10 computers to a domain. This limit is called the machine account quota.
In the following LDIF code, replace
<DomainDN>
with the distinguished
name of the domain you want to change, and replace
<Quota>
with the new machine account
quota:
dn:<DomainDN>
changetype: modify replace: ms-DS-MachineAccountQuota ms-DS-MachineAccountQuota:<Quota>
-
If the LDIF file was named change_computer_quota.ldf, you would then run the following command:
> ldifde -v -i -f change_computer_quota.ldf
You can also make this change using AdMod, as follows:
> admod -b<DomainDN>
ms-DS-MachineAccountQuota::<Quota>
In a default Active Directory installation, members of the
Authenticated Users
group can add and
join up to 10 computer accounts in the default Computers
container. The number of computer
accounts that can be created is defined in the attribute ms-DS-MachineAccountQuota
on the domainDNS
object for a domain. The default
setting is 10, but you can easily change that to whatever number you
want, including 0, via the methods described in this recipe. If you set
it to 0, users have to be granted explicit permissions in Active
Directory to join computers; refer to Joining a Computer to a Domain for instructions on granting
these permissions.
Another method for granting users the right to add computer
objects, although not recommended, is
via Group Policy. If you grant the “Add workstation to domain” right via
Computer Configuration→Windows Settings→Security Settings→Local Policies→User Rights Assignment on a GPO
that’s been linked to the Domain Controllers OU, then users will be able
to create computer accounts even if they do not have create child
permissions on the default Computers
container. This is a holdover from Windows NT to maintain backward
compatibility and should not be used unless absolutely necessary. In
fact, a good security best practice would be to remove
this user right from any user
or group
objects that do not require it.
Joining a Computer to a Domain for permissions needed to join computers to a domain; MS KB 251335 (Domain Users Cannot Join Workstation or Server to a Domain); “Default limit to number of workstations a user can join to the domain”
In the right pane, enter the name of the computer in the Global Search box, select the desired domain in the scope, and then click the search icon.
In the search results, double-click the name of the computer to open the computer properties.
Scroll down to the Extension section and then click the Attribute Editor tab.
Click the attribute that you want to modify and then click the Edit button.
Modify or set the desired value for the attribute and then click OK.
Click OK to finalize the attribute change.
Create an LDIF file called modify_object.ldf with the following contents:
dn:<ComputerDN>
changetype: modify add:<AttributeName><AttributeName>
:<AttributeValue>
-
Then run the following command:
> ldifde -v -i -f modify_object.ldf
To modify an object using AdMod, you’ll use the following general syntax:
> admod -b <ComputerDN> <attribute>:<operation>:<value>
For example, you can add a location to a computer
object using the following
syntax:
> admod -b cn="Fin101,cn=Computers,dc=adatum,dc=com" location::"Berlin, Germany"
The Set-ADComputer
cmdlet
allows you to set commonly used attributes by using the following
syntax:
Set-ADComputer -Identity<ComputerDN>
-<ObjectAttribute>
"<Value>
"
To set attributes that are not supported by the Set-ADComputer
cmdlet natively, use the
following syntax:
Set-ADComputer -Identity<ComputerDN>
-Replace @{<ObjectAttribute>
="<Value>
"}
Like all objects within Active Directory, computer
objects have various attributes that
can be queried, modified, and deleted during the day-to-day management
of your domain. Because computer
objects inherit from the user
class,
they include similar informational attributes to the user
objects, as well as attributes that are
specific to computer
objects,
including:
Location
Description
operatingSystemVersion
operatingSystemServicePack
sAMAccountName
pwdLastSet
primaryGroupID
Finding Inactive or Unused Computers for finding inactive or unused computers; Finding Computers with a Particular OS for finding computers with a particular OS; MSDN: Computer System Hardware Classes [WMI]
You can perform this search using the Active Directory Users and Computers MMC snap-in, as follows:
Right-click on the domain, OU, or container that you wish to search and click Find.
In the Find drop-down box, select Computers.
Click on the Advanced tab. Click on Field and select Operating System.
Select the Condition that you want to search on from one of the following:
Starts with
Ends with
Is (exactly)
Is not
Present
Not present
In the Value field, enter the value that you want to search for, such as “Windows Server 2012 Datacenter.”
You can query for computer
objects of a particular operating system using either DSQuery or
AdFind. To perform the query with DSQuery, use the following
syntax:
> dsquery * <DomainDN>
-scope subtree -attr "*" -filter "(&(↵
objectcategory=computer)(operatingSystem=Windows Server 2012 Datacenter))"
To use AdFind, enter the following:
> adfind -b <DomainDN>
-f "(&(objectcategory=computer) (operatingSystem=Windows Server 2012 Datacenter))"
To search for computers based on operating system version using
PowerShell, use the get-ADComputer
cmdlet. The following example finds all computers that are running
Windows Server 2012 Datacenter without regard for the service pack
level:
Get-ADComputer -Filter {OperatingSystem -eq "Windows Server 2012 Datacenter"} | Select Name
The following example searches for all computers that are running Windows Server 2008 R2 Enterprise with Service Pack 1:
Get-ADComputer -Filter {OperatingSystem -eq "Windows Server 2008 R2 Enterprise" -and OperatingSystemVersion -eq "6.1 (7601)"} | Select Name
When a computer joins an Active Directory domain, the operating
system attributes are updated for the computer
object. There are three of these
attributes, which can be used in queries to find computers that match
certain OS-specific criteria, such as service pack level.
These attributes include the following:
operatingSystem
Descriptive name of the installed operating system—for example, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012. The values of this attribute sometimes include special characters such as the copyright symbol, which makes this attribute a poor choice for searching. However, if you know the descriptive name, it can still be a logical choice in a filter.
operatingSystemVersion
Numerical representation of the operating system—for example, 6.1 (7601) and 6.2 (9200). The version corresponds to the current service pack level, if one is installed. For instance, 6.1 (7600) represents Windows Server 2008 R2 without a service pack, while 6.1 (7601) represents Windows Server 2008 R2 with Service Pack 1. Windows Server 2012 is represented by 6.2 (9200).
operatingSystemServicePack
Current service pack level if one is installed—for example, Service Pack 2 and Service Pack 3.
This recipe typically applies only to Windows-based machines. Other types of machines (e.g., Unix) that have accounts in Active Directory might not automatically update their OS attributes, though some newer Unix or Linux-based NAS devices have been configured to do so.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave it blank to do a serverless bind).
For Port, enter 389
.
Click OK.
From the menu, select Connection→Bind.
Enter the credentials of a domain user or accept the default setting and bind as the currently logged on user.
Click OK.
From the menu, select View→Tree.
For the DN, enter:
<WKGUID=aa312825768811d1aded00c04fd8d5cd,<DomainDN>
>
where <DomainDN>
is the
distinguished name of a domain.
Click OK.
In the lefthand menu, you can now browse the default
Computers
container for the
domain.
By default, all computer
objects created in an Active Directory domain are placed into the
built-in Computers
container. This
default container has a significant limitation, in that you are unable
to link Group Policy Objects (GPOs) to the built-in container. If you
have one or more GPOs that you wish to apply to all computer
objects in your domain, you should
modify the default location for computer accounts in AD. You can use
the redircmp utility to change this default
location, as we will discuss in Changing the Default Container for Computers.
$strDomain = "<DomainDNSName>
"
Set-Variable ADS_GUID_COMPUTERS_CONTAINER aa312825768811d1aded00c04fd8d5cd
$rootDSE = [ADSI]("LDAP://" + $strDomain + "/RootDSE")
$container = [ADSI]("LDAP://<WKGUID=" + $ADS_GUID_COMPUTERS_CONTAINER + "," +
$rootDSE.defaultNamingContext + ">")
$container.distinguishedName
In much the same way that the TCP/IP protocol defines a list of
well-known ports that are commonly used by industry applications (TCP
ports 20 and 21 for FTP, TCP port 80 for HTTP, and so on), Active
Directory defines Well-Known GUIDs that map to container
objects that are present in every AD
installation. The Domain NC defines the following WKGUIDs:
Users
Computers
System
Domain Controllers
Infrastructure
Deleted Objects
Lost and Found
The Configuration NC also defines its own Deleted Objects
WKGUID.
For example, the default Computers
container has the following
WKGUID:
aa312825768811d1aded00c04fd8d5cd
You can use the GUID to bind to the default Computers
container in the domain using the
following ADsPath:
LDAP://<WKGUID=aa312825768811d1aded00c04fd8d5cd,dc=apac,dc=adatum,dc=com>
The list of well-known objects for a domain is contained in the
wellKnownObjects
attribute of the
domainDNS
object for the domain. The
wellKnownObjects
attribute is
multivalued with DNWithBinary
syntax.
The following is an example of what that attribute looks like for the
adatum.com domain:
B:32:AA312825768811D1ADED00C04FD8D5CD:cn=Computers,dc=adatum,dc=com; B:32:F4BE92A4C777485E878E9421D53087DB:cn=Microsoft,cn=Program Data,dc=adatum,dc=com; B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:cn=Program Data,dc=adatum,dc=com; B:32:22B70C67D56E4EFB91E9300FCA3DC1AA: cn=ForeignSecurityPrincipals,dc=adatum,dc=com; B:32:18E2EA80684F11D2B9AA00C04F79F805:cn=Deleted Objects,dc=adatum,dc=com; B:32:2FBAC1870ADE11D297C400C04FD8D5CD:cn=Infrastructure,dc=adatum,dc=com; B:32:AB8153B7768811D1ADED00C04FD8D5CD:cn=LostAndFound,dc=adatum,dc=com; B:32:AB1D30F3768811D1ADED00C04FD8D5CD:cn=System,dc=adatum,dc=com; B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:ou=Domain Controllers,dc=adatum,dc=com; B:32:A9D1CA15768811D1ADED00C04FD8D5CD:cn=Users,dc=adatum,dc=com;
Each value has the format of:
B:NumberofBytes:GUID:DistinguishedName
As you can see, the GUID for the first value is the same as the
one we used in the ADsPath earlier to bind to the default Computers
container.
Changing the Default Container for Computers for changing
the default Computers
container;
MSDN: Binding to Well-Known Objects Using WKGUID
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave it blank to do a serverless bind).
For Port, enter 389
.
Click OK.
From the menu, select Connection→Bind.
Enter the credentials of a domain user.
Click OK.
From the menu, select Browse→Modify.
For DN, enter the distinguished name of the domainDNS
object of the domain you want
to modify.
For Attribute, enter wellKnownObjects
.
For Values, enter the following:
B:32:AA312825768811D1ADED00C04FD8D5CD:cn=Computers,<DomainDN>
where <DomainDN>
is the
same as the DN you enter for the DN field.
Select Delete for the Operation and click the Enter button.
Go back to the Values field and enter the following:
B:32:AA312825768811D1ADED00C04FD8D5CD:<NewComputersParent>,<DomainDN>
where <NewComputersParent>
is the new parent container for new computer
objects (e.g., ou=Adatum Computers
).
Select Add for the Operation and click the Enter button.
Click the Run button.
The result of the operations will be displayed in the right pane of the main LDP window.
Many Active Directory administrators do not use the Computers
container within the Domain Naming
context as their primary computer repository. One reason is that since
it is a container and not an OU, you cannot apply Group Policy Objects
to it. If you have another location where you store computer
objects, you might want to consider
changing the default container used to bind to the Computers
container by changing the well-known
objects
attribute, as shown in this
recipe. This can be beneficial if you want to ensure computers cannot
sneak into Active Directory without having the appropriate group
policies applied to them. While you can also apply GPOs at the site or
the domain level, forcing new computers into a particular organizational
unit ensures that those computers receive the Group Policy settings that
you want them to receive through GPOs linked at the OU level. However,
this does not protect you from an administrator (whether intentionally
or accidentally) explicitly creating a computer
object in the incorrect OU; this only
protects you from applications or utilities that do not allow or do not
require you to specify an OU when creating the computer.
See Binding to the Default Container for Computers for more information on how well-known objects are specified in Active Directory.
Get-ADComputer
cmdlet reference; MSDN: Object Class
and Object Category [Active Directory]; MSDN: Object-Class Attribute
[AD-Schema]
You want to prevent a computer
object from being accidentally deleted by an administrator who selects
the incorrect option in Active Directory Users and Computers.
Open Active Directory Users and Computers. Click on View and confirm that Advanced Features is selected.
Drill down to the current domain. To connect to a different domain, right-click on the top-level node and click “Change domain”; select the appropriate domain and then drill down to it.
Right-click on the computer that you want to modify and click Properties.
Click on the Object tab.
Place a checkmark next to “Protect object from accidental deletion.”
By default, all new OUs that are created in Windows Server 2008
and later will have this protection enabled; however, no other object
types are configured with this default protection. If you attempt to
delete a computer
object that is
protected using this option, even when signed on as a Domain Admin or
other similarly elevated account, you will receive an “Access Denied”
message until you manually remove the checkbox or manually remove the
deny ACE associated with it.
Using the command-line or PowerShell method, you can apply this
protection to group
objects in
all versions of Windows Server, even though the GUI
checkbox is available only in Windows Server 2008 and later.
Click View→Advanced Features. In the left pane, right-click on the domain and select Find.
In the Find drop-down box, select Computers. Select the appropriate domain.
Beside Name, type the name of the computer account and click Find Now.
In the Search Results window, double-click on the computer.
Select the Attribute Editor tab. Click Filter and ensure that there is a checkmark next to Backlinks.
Scroll to the msDS-RevealedDSAs
attribute to view a
list of RODCs that have cached this computer’s password
secrets.
As discussed in Chapter 3, Windows Server
2008 introduced the Read-Only Domain Controller (RODC) to improve the
security of branch office and other remote environments. One of the
security measures introduced by the RODC is the Password Replication
Policy (PRP), which specifies a list of users, computers, and groups
that can and cannot have their password secrets cached on one or more
DCs. Each RODC maintains a forward-link attribute called msDS-RevealedUsers
, which lists the user and
computer accounts for whom each RODC has cached password secrets. Each
computer account, in turn, maintains a backlink called msDS-RevealedDSAs
. This backlink can be
queried to determine which RODCs have stored password information for a
particular user account; however, like all backlinks, this attribute
cannot be modified directly.
18.117.107.40