Home > Articles > Operating Systems, Server > Microsoft Servers

This chapter is from the book

This chapter is from the book

Inside Active Directory: A System Administrator's GuideInside Active Directory: A System Administrator's Guide

Learn More Buy

This chapter is from the book

This chapter is from the book

Inside Active Directory: A System Administrator's GuideInside Active Directory: A System Administrator's Guide

Learn More Buy

Administering Computer Objects

Just as Active Directory has a user object for each network user, it has a computer object for each computer in the domain. However, this applies "only" to Windows 2000 and Windows NT computers. Other workstations (e.g., Windows 95 and 98 and non-Microsoft operating systems) that are not using the NT-based integrated security cannot have a computer object.

IF YOU KNOW NDS

NDS allows a broader range of workstation types than does Active Directory, which means that you can manage more types of workstations with the help of the directory service.

Also, computer objects are used only for computers that join a domain. If a stand-alone server or workstation will be in a workgroup instead of a domain, it will not be assigned a computer object in Active Directory.

You could categorize computer object properties as either significant or informational, just as we did with user objects. However, the distinction among computer objects is not as clear as it is among user objects, so we don't use these terms with computer objects in this book (short of a couple of exceptions).

The purposes of computer objects are as follows:

  • As inherited from the very first version of Windows NT back in 1993, a computer account ties the workstation or server to the Windows NT/2000 security model.

  • A computer object is a placeholder for properties that help you when you are remotely installing and managing workstations.

  • A computer object is a placeholder for properties that are purely informational.

  • A computer object is a security principal. This means that just as with a user, you can give permissions for resources and assign security group memberships to the computer.

  • The location of a computer object in Active Directory dictates which group policies apply to the corresponding computer.

Computer objects are treated slightly differently, depending on whether they are for domain controllers or for workstations and member servers. Table 3.14 compares the two.

When you start to manage computer objects, your tasks will include the following:

  • Create computer objects.

  • Set computer object properties.

  • Move, rename, disable, reset, and delete computer objects.

  • Assign Group Policy and permissions, and delegate administrative tasks.

In this chapter, we focus on the first three items in the list. The last item is discussed in later chapters. If you want to try the management tasks discussed in this section, you can create some test computer objects in your test OU. To test all the features, however, you will need some test workstations.

Creating Computer Objects

As Table 3.14 in the previous section implies, computer objects are created in three ways.

TABLE 3.14 Comparing Domain Controllers and Other Computer Objects

Feature

Domain Controller

Workstation and Member Server

Creation of the object

Automatically while installing Active Directory on the server (using DCPromo)

Semiautomatically while joining the computer to the domain Manually with the Users and Computers snap-in

Default container of the object

Domain Controllers

Computers

Use of the default location

Probably yes

Probably not (place the computer objects in OUs instead)

Computer GUID

You cannot set this property.

You may set this property, which helps when using Remote Installation Services and signifies a managed computer.

  • A computer object for a domain controller is created automatically in the Domain Controllers OU when you install Active Directory on that server by running the Active Directory Installation Wizard (i.e., DCPromo).

  • When you join a stand-alone server or workstation to a domain, either during computer installation or afterward, you have the option to create the computer object. An object created in this way goes to the Computers container.

  • You precreate the computer object manually using the Users and Computers snap-in. This choice is explained next.

NOTE

The second and third items in the list require appropriate permissions or user rights, which are explained in Chapter 4. In short, any forest user can by default join ten workstations to a domain.

You can store the computer objects either in the Computers container or in various OUs in the domain. The latter option allows different OU-based group policies for different computers.

When you right-click the appropriate target OU and select New, Computer, you will see the dialog box shown in Figure 3.17. Here you specify the name for the object, the downlevel name for the computer, and the user or group who can later join the computer to the domain.

Figure 3.17 When you create a computer object, you are prompted to specify the name for the object, the downlevel name for the computer, and the user or group who can later join the computer to the domain. If the joining computer is running Windows NT, you must select the bottom check box.

If you use Remote Installation Services (RIS) to install Windows 2000 Professional computers, there will be one or two additional pages in the creation wizard. Figure 3.18 shows the first of these pages.

Figure 3.18 If you use RIS, you will see a second page in the creation wizard. You can specify that this is a "managed computer" and enter the computer's GUID.

NOTE

Whether you get the two additional wizard pages or not depends on which computer you are sitting at. For example, if there are two domain controllers in your domain (DC1 and DC2) and you have installed RIS on DC2, you will see the two additional pages if you are sitting at DC2 or any workstation. However, if you are sitting at DC1, you won't see the pages.

Computer manufacturers assign a unique GUID to each computer they sell. If you enter this GUID into Active Directory, it will help RIS match a certain computer system to a certain computer object.

After you have bought a computer and turned it on for the first time to install Windows 2000 Professional onto it, the RIS service sends the computer's GUID to a RIS server. This way, RIS can locate the correct computer object in Active Directory.

If you selected the "This is a managed computer" option on the wizard's second page, you will see one more page, which is shown in Figure 3.19.

Figure 3.19 If you selected the "This is a managed computer" option in the creation wizard's second page (Figure 3.18), you will see another page that enables you to specify a certain remote installation server. You can use this for load balancing, so that certain client computers (identified by the GUID) install Windows 2000 Professional from a certain server.

NOTE

The computer GUID shown in Figure 3.18 is not the same as the GUID that each Active Directory object has. Chapter 8 offers more in-depth treatment of object GUIDs.

You cannot specify the computer GUID or RIS server name for an existing computer object using the Users and Computers snap-in if you didn't specify "managed computer" when you first created the object. To edit properties directly, you need to use ADSI Edit or some other means. The aforementioned information is stored in the properties netbootGUID and netbootMachineFilePath.

A computer object has several names, which are listed in Table 3.15.

TABLE 3.15 Name Properties of a Computer Object

Property

LDAP Name

Maximum Length

Required

Unique

Comments

Computer name

name (RDN) and cn (Common-Name)

64

X

Within OU

This becomes the object common name in the tree.

DNS name

dNSHostName

2048

 

In the world

The target computer updates this property automatically.

Computer name (pre-Windows 2000)

sAMAccountName

256

X

Within the enterprise

This is the downlevel nameof the computer, which isalso the same as the computer NetBIOS name. Internally, Active Directory stores a dollar sign ($) at the end of the name.

Setting Computer Object Properties

The Users and Computers snap-in shows you about 15 computer object properties, and you can set about 8 of them. Behind the scenes, a computer object may have 228 properties.

Table 3.16 lists the properties in five of the six tabs. We discuss the sixth tab, Member Of, later in this chapter in the "Administering Groups" section. We don't include screen shots, because they would show just a number of text boxes. Many of the setting names are self-explanatory. Note that Windows 2000 also provides context-sensitive help for each of the settings.

TABLE 3.16 Properties of a Computer Object

Property

LDAP Name

Syntax*

Index

GC

Comments

General Tab

Computer name (pre–Windows 2000)

sAMAccountName

Text (256)

X

X

This is the downlevel name of the computer, which is also the same as the computer NetBIOS name. Internally, Active Directory stores a dollar sign ($) at the end of the name.

DNS name

dNSHostName

Text (2048)

 

X

 

Role

 

 

 

 

"Domain controller" or "Workstation or server"

Description

description

Text (1024)

 

X

 

Trust computer for delegation

userAccount-Control

Yes/no

X

X

This setting is described in Chapter 4 in the "Impersonation and Delegation" section.

Operating System Tab

Name

operating- System

Text

 

 

A read-only text such as "Windows 2000 Server."

Version

operating- SystemVersion

Text

 

 

A read-only text to indicate the normal version, such as "5.0" (i.e., Windows 2000), and the more precise version (i.e., build number), such as "2195."

Service Pack

operating- System- ServicePack

Text

 

 

A read-only text to indicate whether or not you have installed any Windows 2000 service packs on the machine, such as "Service Pack 1."

Location Tab

Location

location

Text (1024)

X

X

 

Managed By Tab

Managed By

managedBy

DN; you select a user or contact from list

 

 

The user or contact you select gets no permissions for the computer. This setting is purely informational. The other fields on the tab are the manager's properties.

Remote Install Tab**

Computer's unique ID

netbootGUID

Binary (text in the user interface)

X

X

Same as the computer's GUID. It helps when using RIS, and it signifies a managed computer.

Remote Installation server

netboot-Machine-FilePath

Text

 

X

This property specifies the DNS name of the selected installation server.

Server settings

N/A

N/A

N/A

N/A

This button takes you to the properties of the server object.

Other Operations to Manage Computer Objects

Other operations you can do to manipulate computer objects are move, delete, disable, and reset. You can also rename computers or start computer management to manage the computer corresponding to the object.

Moving Computer Objects

If you need to move a computer object from one OU to another, you do it in the same way you move users. When you are moving a computer within a domain, you right-click the computer object and select Move. Then you choose the destination and click OK. Between domains in a forest you use the Support Tools command-line tool MoveTree, which is discussed in Chapter 6.

You can move several sibling objects at once by selecting them in the right-hand pane of the snap-in by using the Shift and/or the Ctrl key.

When you move computer objects

  • Permissions that are assigned for the object being moved move with the object.

  • Group policies and permissions that are inherited from above do not move with the object being moved. Instead, the moved object inherits the policies and permissions from its new location.

Deleting Computer Objects

You delete an object by right-clicking it and selecting Delete or by selecting the object and pressing the Delete key. Because there is no Undo option, a safety mechanism asks you to confirm the deletion.

A computer object is a security principal like a user object. Therefore, if you delete a computer object and then recreate it, the new object doesn't have the memberships or permissions of the old one.

If you delete a computer object, the corresponding computer is no longer part of the domain. Therefore, no one can log on to the computer using a domain user account.

Disabling Computer Accounts

You can disable the computer account by right-clicking the computer object and selecting Disable Account. Doing so will prevent users sitting at that computer from logging on using a domain user account.

You cannot disable a domain controller.

Resetting Computer Accounts

When a Windows 2000 (or Windows NT) computer that is a member of a domain starts, the computer logs on to the domain using the computer account and some password known to the machine. After this, a user sitting at the computer can enter his username and password to log on to the domain.

The aforementioned machine logon sets up a secure channel, which enables the member computer to communicate with a domain controller to exchange user and password information. For example, if the computer account password stored in the local computer (called LSA secret) doesn't match the one stored in Active Directory, authentication to the domain is not possible and the user will receive an error like the one shown in Figure 3.20.

Figure 3.20 If the member computer cannot establish a secure channel with a domain controller, the user receives an error message and is not able to log on using a domain user account.

An administrator can solve the problem by using the Reset Account context menu item on the corresponding computer object. Resetting a computer account resets its password to the initial value, which is "computername$" (without quotes). In addition, the member computer must be joined to a workgroup and then joined to the domain again.

NOTE

Support Tools includes two command-line utilities, NetDom and NLTest, which you can also use to reset computer accounts, among other things.

Managing Computers

When you right-click the computer object and select Manage, the Computer Management snap-in starts and sets the focus to the corresponding computer. This way you can manage its system tools, storage, server applications, and services.

Renaming Computers

You rename a Windows 2000 workstation or member server using the Control Panel of that computer. Select System, then the Network Identification tab, and finally the Properties button. Once you enter a new name and click OK, you are prompted for the name of a domain user who has permission to change the name of the workstation or member server, as well as that user's password.

This operation renames the computer (i.e., the NetBIOS name and DNS name) and changes the pre–Windows 2000 name of the computer object. However, the object's common name doesn't change and you cannot change it using the Users and Computers snap-in. Instead, you must use ADSI Edit, which is part of Support Tools.

NOTE

You cannot rename domain controllers.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020