Upload
jorge-samano-aranda
View
85
Download
0
Embed Size (px)
Citation preview
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 1/99
Module5:ManagingComputerAccounts
Contents:
Lesson1: CreateComputersandJointheDomain
LabA: CreateComputersandJointheDomain
Lesson2: AdministerComputerObjectsandAccounts
LabB: AdministerComputerObjectsandAccounts
Lesson3: OfflineDomainJoin
LabC: PerformanOfflineDomainJoin
Module Overview
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 2/99
Computersinadomainaresecurityprincipals,likeusers.TheyhaveanaccountwithalogonnameandpasswordthatWindowschangesautomaticallyevery30daysorso.Theyauthenticatewiththedomain.Theycanbelongtogroups,haveaccesstoresources,andbeconfiguredbyGroupPolicy.Inaddition,likeusers,computerssometimeslosetrackoftheirpasswords,requireareset,orhaveaccountsthatneedtobedisabledorenabled.
ManagingcomputersboththeobjectsinActiveDirectoryandthephysicaldevicesisoneofthedaytodaytasksofmostITprofessionals.Newsystemsareaddedtoyourorganization,computersaretakenofflineforrepairs,machinesareexchangedbetweenusersorroles,andolderequipmentisretiredorupgraded,leadingtoanaccessofreplacementsystems.Eachoftheseactivitiesrequiresmanagingtheidentity
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 3/99
ofthecomputerrepresentedbyitsobject,oraccount,andActiveDirectory.
Unfortunately,mostenterprisesdonotinvestthesamekindofcareandprocessinthecreationandmanagementofcomputeraccountsastheydoforuseraccounts,eventhoughbotharesecurityprincipals.Inthismodule,youwilllearnhowtocreatecomputerobjects,whichincludeattributesthatarerequiredfortheobjectstobeaccounts.Youwilllearnhowtosupportcomputeraccountsthroughtheirlifecycle,includingconfiguring,troubleshooting,repairing,anddeprovisioningcomputerobjects.Youwillalsodeepenyourunderstandingoftheprocessthroughwhichacomputerjoinsadomain,sothatyoucanidentifyandavoidpotentialpointsoffailure.Inthethirdlessonofthismodule,youwillbeintroducedtoanewfeatureofWindowsServer2008R2ActiveDirectory,calledOfflineDomainJoin.Thisfeatureenablesadministratorstojoincomputerstoadomainevenifthecomputersdonothaveaconnectiontothecorporatenetwork.
Objectives
Aftercompletingthismodule,youwillbeableto:
Createcomputeraccountsandjointhemtoadomain.
AdministercomputerobjectsandaccountsbyusingtheWindowsInterfaceandcommandlinetools.
DescribeandperformtheOfflineDomainJoinprocess.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 4/99
Lesson 1: Create Computers and Join the Domain
ThedefaultconfigurationofWindowsServer2008andofallotherversionsofWindowsserverandclientoperatingsystemsisthatthecomputerbelongstoaworkgroup.Beforeyoucanlogontoacomputerwithadomainaccount,thatcomputermustbelongtothedomain.Tojointhedomain,thecomputermusthaveanaccountinthedomain,which,likeauseraccount,includesalogonname(thesAMAccountNameattribute),apassword,andasecurityidentifier(SID)thatuniquelyrepresentsthecomputerasasecurityprincipalinthedomain.Thosecredentialsallowthecomputertoauthenticateagainstthedomainandtocreateasecurerelationshipthatthenallowsuserstologontothesystemwithdomainaccounts.Inthislesson,
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 5/99
youwilllearnthestepstopreparethedomainforanewcomputeraccount,andyouwillexploretheprocessthroughwhichacomputerjoinsthedomain.
Objectives
Aftercompletingthislesson,youwillbeableto:
Understandtherelationshipbetweenadomainmemberandthedomain,intermsofidentityandaccess.
Identifytherequirementsforjoiningacomputertothedomain.
Prestageacomputeraccount.
Joinacomputertothedomain.
Redirectthedefaultcomputercontainer.
Preventnonadministrativeusersfromcreatingcomputersandjoiningthedomain.
Usecommandlinetoolstoimport,create,andjoincomputers.
Workgroups, Domains, and Trusts
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 6/99
Inaworkgroup,eachsystemmaintainsanidentitystoreofuserandgroupaccountsagainstwhichuserscanbeauthenticatedandaccesscanbegin.ThelocalidentitystoreoneachcomputeriscalledtheSecurityAccountsManager(SAM)database.Ifauserlogsontoaworkgroupmachine,thesystemauthenticatestheuseragainstitslocalSAMdatabase.Ifauserconnectstoanothersystemtoaccessasharedfolder,theuserisreauthenticatedagainsttheidentitystoreoftheremotesystemandwillprobablybepromptedtoenteranewsetofcredentialsfortheremotesystem.Fromasecurityperspective,aworkgroupcomputeris,forallintentsandpurposes,astandalonesystem.
Whenacomputerjoinsadomain,itdelegatesthetaskofauthenticatinguserstothedomain.AlthoughthecomputercontinuestomaintainitsSAMdatabasetosupport
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 7/99
localuserandgroupaccounts,useraccountswilltypicallybecreatedinthecentraldomaindirectory.Whenauserlogsontothecomputerwithadomainaccount,theuserisauthenticatedbyadomaincontroller,ratherthanbytheSAM.Inotherwords,thecomputernowtrustsanotherauthoritytovalidateauser'sidentity.Trustrelationshipsaregenerallydiscussedinthecontextoftwodomains,asyouwilllearninanothermodule,butthereisalsoatrustbetweeneachdomainmembercomputeranditsdomainthatisestablishedwhenthecomputerjoinsthedomain.Becausealldomainmembercomputerstrustthedomain,theyalsotrusteachaccountthatisauthenticatedbythatdomain.ThisallowsuserswithanaccountinActiveDirectorytoaccessresourcesonvariousserverswithonlyonesetofcredentials.
Requirements for Joining a Computer to the Domain
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 8/99
ThreeconditionsarerequiredforyoutojoinacomputertoanActiveDirectorydomain:
Acomputerobjectshouldbecreatedinthedirectoryservice.
Youmusthaveappropriatepermissionstothecomputerobject.Thepermissionsallowyoutojoinacomputerwiththesamenameastheobjecttothedomain.
YoumustbeamemberofthelocalAdministratorsgrouponthecomputertochangeitsdomainorworkgroupmembership.
Theremainderofthislessonexamineseachoftheserequirements.
NoteItisnotmandatorytocreateacomputerobjectinthedirectoryservice,butitishighlyrecommended.However,manyadministratorsjoincomputerstoadomainwithoutfirstcreatingacomputerobject.Whenyoudothis,Windowsattemptstojointhedomaintoanexistingobject.WhenWindowsdoesnotfindtheobject,itfailsbackandcreatesacomputerobjectinthedefaultcomputercontainer.Thestepofcreatingacomputerobject,eitherbyanadministratorbeforethejoinorbyWindowsduringthejoin,isnecessarybeforethecomputercanjointhedomain.Itisstillarequirement.ItusesadifferentsetofpermissionsinActiveDirectory(yourpermissiontocreateacomputerobject)thanthejoinitself,andifyoudonothappentohavepermissionstocreatecomputerobjectsinthedefaultcomputercontainer,thejoinwillfail.Thebottomlineisthatitisarequirementforthecomputerobjecttoexistpriortothejoin,butWindowshelpsmeetthatrequirement
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 9/99
automatically.
The Computers Container and Organizational Units
Beforeyoucreateacomputerobjectinthedirectoryservice,youmusthaveaplacetoputit.
The Default Computers Container
Whenyoucreateadomain,theComputerscontaineriscreatedbydefault(CN=Computers).Thiscontainerisnotanorganizationalunit(OU)itisanobjectoftheContainerclass.Therearesubtlebutimportantdifferencesbetweenacontainer
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 10/99
andanOU.YoucannotcreateanOUwithinacontainer,soyoucannotsubdividetheComputersOUandyoucannotlinkaGroupPolicyobjecttoacontainer.Therefore,wehighlyrecommendthatyoucreatecustomOUstohostcomputerobjects,insteadofusingtheComputerscontainer.
OUs for Computers
MostorganizationscreateatleasttwoOUsforcomputerobjects:onetohostcomputeraccountsforclientcomputersdesktops,laptops,andotherusersystemsandanotherforservers.ThesetwoOUsareinadditiontotheDomainControllersOUcreatedbydefaultduringtheinstallationofActiveDirectory.IneachoftheseOUs,computerobjectsarecreated.Thereisnotechnicaldifferencebetweenacomputerobjectinaclient'sOUandacomputerobjectinaserver'sordomaincontroller'sOU:computerobjectsarecomputerobjects.However,separateOUsaretypicallycreatedtoprovideuniquescopesofmanagement,sothatyoucandelegatemanagementofclientobjectstooneteamandmanagementofserverobjectstoanother.
YouradministrativemodelmightnecessitatefurtherdividingyourclientandserverOUs.ManyorganizationscreatesubOUsbeneathaserverOUtocollectandmanagespecifictypesofserversforexample,anOUforfileandprintserversandanOUfordatabaseservers.Bydoingso,theteamofadministratorsforeachtypeofservercanbedelegatedpermissionstomanagecomputerobjectsintheappropriateOU.Similarly,geographicallydistributedorganizationswithlocaldesktopsupportteamsoftendivideaparentOUforclientsintosubOUsforeachsite.Thisapproachenableseachsitessupportteamtocreatecomputerobjectsinthesiteforclientcomputers,
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 11/99
andjoincomputerstothedomainusingthosecomputerobjects.Thisisanexampleonly.WhatismostimportantisthatyourOUstructurereflectsyouradministrativemodelsothatyourOUsprovidesinglepointsofmanagementforthedelegationofadministration.
Additionally,separateOUsallowyoutocreatedifferentbaselineconfigurationsusingdifferentGroupPolicyobjects(GPOs)linkedtotheclientandtheserverOUs.GroupPolicy,discussedindetailinanothermodule,allowsyoutospecifyconfigurationforcollectionsofcomputersbylinkingGPOsthatcontainconfigurationinstructionstoOUs.ItiscommonfororganizationstoseparateclientsintodesktopandlaptopOUs.GPOsspecifyingdesktoporlaptopconfigurationcanthenbelinkedtoappropriateOUs.
Ifyourorganizationhasdecentralized,sitebasedadministrationandwantstomanageuniqueconfigurationsfordesktopsandlaptops,youfaceadesigndilemma.ShouldyoudivideyourclientsOUbasedonadministrationandthensubdividedesktopsandlaptops,orshouldyoudivideyourclientsOUintodesktopandlaptopOUs,andthensubdividebasedonadministration?Theoptionsareillustratedasfollows.
BecausetheprimarydesigndriverforActiveDirectoryOUsistheefficientdelegationofadministrationthroughtheinheritanceofaccesscontrollists(ACLs)onOUs,thedesignontheleftwouldberecommended.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 12/99
Delegating Permission to Create Computers
Bydefault,theEnterpriseAdmins,DomainAdmins,Administrators,andAccountOperatorsgroupshavepermissiontocreatecomputerobjectsinanynewOU.However,asdiscussedinthemoduleaboutgroups,werecommendthatyoutightlyrestrictmembershipinthefirstthreegroups,andthatyoudonotaddadministratorstotheAccountOperatorsgroup.
Instead,youshoulddelegatethepermissiontocreatecomputerobjectstoappropriateadministratorsorsupportpersonnel.ThepermissionrequiredtocreateacomputerobjectisCreateComputerObjects.Thispermission,assignedtoagroupforanOU,allowsmembersofthegrouptocreatecomputerobjectsinthatOU.Forexample,youmightallowyourdesktopsupportteamtocreatecomputerobjectsintheclientsOU,andallowyourfileserveradministratorstocreatecomputerobjectsinthefileserversOU.
Thepermissionsrequiredtoperformcomputermanagementtasksarelistedinthetopic,"SecureComputerCreationandJoins."Module8detailstheprocessofdelegation.
Prestage a Computer Account
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 13/99
YoucanandshouldcreateacomputeraccountinthecorrectOUbeforejoiningthecomputertothedomain.Thisprocessofcreatingacomputeraccountinadvanceiscalledprestagingacomputer.
Afteryouhavebeengivenpermissiontocreatecomputerobjects,youcandosobyrightclickingtheOUandchoosingComputerfromtheNewmenu.TheNewObjectComputerdialogbox,shownbelow,appears:
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 14/99
Enterthecomputername,followingthenamingconventionofyourenterprise,andselecttheuserorgroupthatwillbeallowedtojointhecomputertothedomainwiththisaccount.ThetwocomputernamesComputerNameandComputerName(PreWindows2000)shouldbethesame:Thereisveryrarely,ifever,ajustificationforconfiguringthemseparately.
NoteThepermissionsthatareappliedtotheuserorgroupyouselectinthewizardaremorethannecessarysimplytojoinacomputertothedomain.Theselecteduserorgroupisalsogiventheabilitytomodifythecomputerobjectinotherways.Forguidanceregardingaleastprivilegeapproachtodelegatingpermissiontojoinacomputertothedomain,seeWindowsAdministrationResourceKit:ProductivitySolutionsforITProfessionalsbyDanHolme(MicrosoftPress,2008).
Theprocessyoucompletetocreateacomputeraccountbeforejoiningthecomputer
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 15/99
tothedomainiscalledprestagingtheaccount.
Therearetwomajoradvantagesofprestagingacomputer:
TheaccountisinthecorrectOUandisthereforedelegatedaccordingtothesecuritypolicydefinedbytheaccesscontrollist(ACL)oftheOU.
ThecomputeriswithinthescopeofGPOslinkedtotheOU,beforethecomputerjoinsthedomain.
Join a Computer to the Domain
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 16/99
Byprestagingthecomputerobject,youfulfillthefirsttworequirementsforjoiningacomputertoadomain:thecomputerobjectexists,andyouhavespecifiedwhohaspermissionstojoinacomputerwiththesamenametothedomain.Now,alocaladministratorofthecomputercanchangethecomputersdomainmembershipandenterthespecifieddomaincredentialstosuccessfullycompletetheprocess.
Tojoinacomputertothedomain,performthefollowingsteps:
1. LogontothecomputerwithcredentialsthatbelongtothelocalAdministratorsgrouponthecomputer.
Onlylocaladministratorscanalterthedomainorworkgroupmembershipofacomputer.
2. OpentheSystemPropertiesdialogboxbyusingoneofthefollowingmethods:
InWindowsXP,WindowsServer2003:
OpentheSystempropertiesdialogboxbydoingoneofthefollowing:
RightclickMyComputer,andthenclickProperties.
PressWindowsLogo+Pause.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 17/99
InWindowsVista,Windows7,WindowsServer2008,andWindowsServer2008R2:
a. OpentheSystempropertiesdialogboxbydoingoneofthefollowing:
RightclickComputer,andthenclickProperties.
PressWindowsLogo+Pause.
b. IntheComputername,domain,andworkgroupsettingssection,clickChangeSettings.
c. IfpromptedbyUserAccountControl,clickContinueorenteradministrativecredentialsasappropriate.
3. ClicktheComputerNametab.
4. ClickChange.
5. UnderMemberOf,clickDomain.
6. Typethenameofthedomainyouwanttojoin.
NoteUsethefullDNSnameofthedomain.Notonlyisthismoreaccurateandmorelikelytosucceed,butifitdoesnotsucceed,itindicatesthattherecouldbeaproblemwithDNSnameresolutionthatshouldberectifiedbeforejoiningthemachinetothedomain.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 18/99
7. ClickOK.
8. Windowspromptsforthecredentialsofyouruseraccountinthedomain.
Thedomaincheckstoseeifacomputerobjectalreadyexistswiththenameofthecomputer.Oneofthefollowingthreethingshappens:
Iftheobjectexistsandacomputerwiththatnamehasalreadyjoinedthedomain,anerrorisreturned,andyoucannotjointhecomputertothedomain.
Iftheobjectexistsanditisprestagedacomputerwiththesamenamehasnotjoinedthedomainthedomainconfirmsthatthedomaincredentialsyouenteredhavepermissiontojointhedomainusingthataccount.Thesepermissionswerediscussedinthesection,PrestagingaComputerAccount.
Ifthecomputeraccountisnotprestaged,Windowscheckstoseeifyouhavepermissionstocreateanewcomputerobjectinthedefaultcomputercontainer.Ifyoudohavepermissionstocreateanewcomputerobjectinthedefaultcomputercontainer,theobjectiscreatedwiththenameofthecomputer.Thismethodofjoiningadomainissupportedforbackwardscompatibility,butisnotrecommended.Werecommendthatyouprestagetheaccountasindicatedearlier,andasdetailedinthenextsection,SecureComputerCreationandJoins.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 19/99
ThecomputerthenjoinsthedomainbyassumingtheidentityofitsActiveDirectoryobject.ItconfiguresitsSIDtomatchthedomaincomputeraccountsSIDandsetsaninitialpasswordwiththedomain.Thecomputerthenperformsothertasksrelatedtojoiningthedomain.ItaddstheDomainAdminsgrouptothelocalAdministratorsgroupandtheDomainUsersgrouptothelocalUsersgroup.
9. Youarepromptedtorestartthecomputer.ClickOKtoclosethismessagebox.
10. ClickClose(inWindowsVista)orOK(inWindowsXP)toclosetheSystemPropertiesdialogbox.
11. Youarepromptedagaintorestartthecomputer,afterwhichthesystemisfullyamemberofthedomain,andyoucanlogonbyusingdomaincredentials.
Secure Computer Creation and Joins
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 20/99
Creatingcomputeraccountsandjoiningcomputerstoadomainaresecuritysensitiveoperations.
Therefore,itisveryimportantthatthesestepsareassecureaspossible.
Prestage Computer Objects
Thebestpracticeistoprestageacomputeraccountpriortojoiningthemachinetothedomain.However,Windowsallowsyoutojoinacomputertoadomainwithoutfollowingthisbestpractice.Youcanlogontoaworkgroupcomputerasalocaladministratorandchangethecomputermembershiptothedomain.Ondemand,Windowscreatesacomputerobjectinthedefaultcomputercontainer,givesyou
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 21/99
permissiontojoinacomputertothatobject,andthenproceedstojointhesystemtothedomain.
TherearethreeproblemswiththisWindowsprocess:
First,thecomputeraccountcreatedautomaticallybyWindowsisplacedinthedefaultcomputercontainer,whichisnotwherethecomputerobjectbelongsinmostenterprises.
Second,youmustmovethecomputerfromthedefaultcomputercontainerintothecorrectOU,whichisanextrastepthatisoftenforgotten.
Third,anydomainusercanalsodothisnodomainleveladministrativepermissionsarerequired.Anyusercanjoinanycomputertothedomainifyoudon'tmanageandsecuretheprocess.Becauseacomputerobjectisasecurityprincipal,andbecausethecreatorofacomputerobjectownstheobjectandcanchangeitsattributes,thisexposesapotentialsecurityvulnerability.Thenextsectionsdetailthesedisadvantages.
Configuring the Default Computer Container
WhenyoujoinacomputertothedomainandthecomputerobjectdoesnotalreadyexistinActiveDirectory,Windowsautomaticallycreatesacomputeraccountinthedefaultcomputercontainer,whichiscalled,Computers(CN=Computers,DC=domain)bydefault.TheproblemwiththisrelatestothediscussionofOUdesignearlierinthe
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 22/99
lesson.Ifyouhaveimplementedthebestpracticesdescribedthere,youhavedelegatedpermissionstoadministercomputerobjectsinspecificOUsforclientsandservers.Additionally,youmighthavelinkedGPOstothoseOUstomanagetheconfigurationofthesecomputerobjects.IfanewcomputerobjectiscreatedoutsideofthoseOUs,inthedefaultcomputercontainer,thepermissionsandconfigurationitinheritsfromitsparentcontainerwillbedifferentthanwhatitshouldhavereceived.YouwillthenneedtoremembertomovethecomputerfromthedefaultcontainertothecorrectOUafterjoiningthedomain.
Therearetworecommendedstepstoreducethelikelihoodofthisproblem.First,youshouldattempttoalwaysprestagecomputeraccounts.IfanaccountisprestagedforacomputerinthecorrectOU,whenthecomputerjoinsthedomain,itwillusetheexistingaccountandwillbesubjecttothecorrectdelegationandconfiguration.
Second,toreducetheimpactofsystemsbeingjoinedtothedomainwithoutaprestagedaccount,youshouldchangethedefaultcomputercontainersothatitisnottheComputerscontaineritself,butinsteadisanOUthatissubjecttoappropriatedelegationandconfiguration.Forexample,ifyouhaveanOUcalledNewClients,youcaninstructWindowstousethatOUasthedefaultcomputercontainer,sothatifcomputersarejoinedtothedomainwithoutprestagedaccounts,theobjectsarecreatedintheNewClientsOU.
Theredircmp.execommandisusedtoredirectthedefaultcomputercontainerwiththefollowingsyntax.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 23/99
redircmp "DN of OU for new computer objects"
Now,ifacomputerjoinsthedomainwithoutaprestagedcomputeraccount,Windowscreatesthecomputerobjectinthespecifiedorganizationalunit.OnthisOU,youcanapplysomebaselineGPOsettingsthataffectallcomputersinthedomain.
NoteThesameconceptsapplytothecreationofuseraccounts.Bydefault,ifauseraccountiscreatedbyusingalegacypracticethatdoesnotspecifytheOUfortheaccount,theobjectiscreatedinthedefaultusercontainer(CN=Users,DC=domain,bydefault).Theredirusr.execommandcanbeusedtoredirectthedefaultcontainertoanactualOUthatisdelegatedandconfiguredappropriately.Redirusr,likeredircmp,takesasingleoption:thedistinguishedname(DN)oftheOUthatwillbecomethedefaultusercontainer.
Restricting the Ability of Users to Create Computers
Whenacomputeraccountisprestaged,thepermissionsontheaccountdeterminewhoisallowedtojointhatcomputertothedomain.Whenanaccountisnotprestaged,Windowswill,bydefault,allowanyauthenticatedusertocreateacomputerobjectinthedefaultcomputercontainer.Infact,Windowswillallowanyauthenticatedusertocreate10computerobjectsinthedefaultcomputercontainer.Thecreatorofacomputerobject,bydefault,haspermissiontojointhatcomputertothedomain.Itisthroughthismechanismthatanyauthenticatedusercanjoin10
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 24/99
computerstothedomainwithoutanyexplicitpermissiontodoso.
The10computerquotaisconfiguredbythemsDSMachineAccountQuotaattributeofthedomain.Itallowsanyauthenticatedusertojoinamachinetothedomain,noquestionsasked.Thisisproblematicfromasecurityperspectivebecausecomputersaresecurityprincipals,andthecreatorofasecurityprincipalhaspermissiontomanagethatcomputersproperties.Inaway,thequotaislikeallowinganydomainusertocreate10useraccounts,withoutanycontrols.
Wehighlyrecommendthatyouclosethisloophole,sothatnonadministrativeuserscannotjoinmachinestothedomain.TochangethemsDSMachineAccountQuotaattribute,performthefollowingsteps:
1. OpentheADSIEditMMCconsolefromtheAdministrativeToolsfolder.
2. RightclickADSIEdit,andthenclickConnectTo.
3. IntheConnectionPointsection,clickSelectAWellKnownNamingContext,andthenselectDefaultNamingContextfromthedropdownlist.
4. ClickOK.
5. Intheconsoletree,expandDefaultNamingContext.
6. Rightclickthedomainfolderdc=contoso,dc=com,forexampleandthenclickProperties.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 25/99
7. ClickmsDSMachineAccountQuota,andthenclickEdit.
8. Type0.
9. ClickOK.
TheAuthenticatedUsersgroupisalsoassignedtheuserrighttoaddworkstationstothedomain,butyoudonothavetomodifythisrightifyouhavechangedthedefaultvalueofthemsDSMachineAccountQuotaattribute.
AfteryouhavechangedthemsDSMachineAccountQuotaattributeto0,youcanbeassuredthattheonlyuserswhocanjoincomputerstothedomainarethosewhohavebeenspecificallydelegatedpermissiontojoinprestagedcomputerobjectsortocreatenewcomputerobjects.
Afteryouveeliminatedthisloophole,youmustensureyouhavegivenappropriateadministratorsexplicitpermissiontocreatecomputerobjectsinthecorrectOUs,asdescribedinthe"DelegatingPermissiontoCreateComputers"section,otherwisethefollowingerrormessagewillappear.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 26/99
Delegating Computer Management
ThefourthtasktoimprovethesecurityofcomputeraccountsistodelegatecomputermanagementtasksattheOUlevel.DelegationisdiscussedinModule8.Thefollowingdsaclscommandscanbeusedtodelegatecomputermanagementtasks:
Createacomputer.
dsacls "DN of OU" /I:T /G "DOMAIN\group":CC;computer
Deleteacomputer.
dsacls "DN of OU" /I:T /G "DOMAIN\group":DC;computer
Joinacomputertothedomain.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 27/99
dsacls "DN of OU" /I:S /G "DOMAIN\group": "Validated write to DNShost name";computer dsacls "DN of OU" /I:S /G "DOMAIN\group":"Validated write to service principal name";computer dsacls "DNof OU" /I:S /G "DOMAIN\group": CA;Reset Password;computer dsacls"DN of OU" /I:S /G "DOMAIN\group": WP;AccountRestrictions;computer
Theprecedingfourcommandsshouldbeenteredatthecommandpromptwithnospaceafterthecolon.
Moveacomputer.
RequirespermissionstodeletecomputersinthesourceOUandcreatecomputersinthedestinationOU.Eventhoughamovedoesnotactuallydeleteorcreatetheaccount,thisisthepermissionthatisusedbytheAccessCheck.
Question:Whattwofactorsdeterminewhetheryoucanjoinacomputeraccounttothedomain?
Automate Computer Account Creation
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 28/99
Thestepsyouhavelearnedforcreatingacomputeraccountbecomeburdensomeifyouaretaskedwithcreatingdozensorevenhundredsofcomputeraccountsatthesametime.CommandssuchasCommaSeparatedValueDirectoryExchange(CSVDE),LightweightDirectoryAccessProtocol(LDAP)DataInterchangeFormatDirectoryExchange(LDIFDE),andDSAddcanimportandautomatethecreationofcomputerobjects.Scriptscanalsoallowyoutoprovisioncomputerobjects,thatis,toperformbusinesslogicsuchastheenforcementofcomputernamingconventions.Also,ifyouareusingWindowsServer2008R2,youcanuseWindowsPowerShellwithActiveDirectoryModuletoautomatethecreationofcomputeraccounts.
Import Computers with CSVDE
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 29/99
CSVDEisacommandlinetoolthatimportsorexportsActiveDirectoryobjectsfromortoacommadelimitedtextfile(alsoknownasacommaseparatedvaluetextfile,or.csvfile).ThebasicsyntaxoftheCSVDEcommandis.
csvde [-i] [-f "Filename"] [-k]
Theioptionspecifiesimportmodewithoutit,thedefaultmodeofCSVDEisexport.Thefoptionidentifiesthefilenametoimportfromorexportto.Thekoptionisusefulduringimportoperations,becauseitinstructsCSVDEtoignoreerrors,includingobjectalreadyexists,constraintviolation,andattributeorvaluealreadyexists.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 30/99
Commadelimitedfilescanbecreated,modified,andopenedwithtoolsasfamiliarasNotepadandMicrosoftOfficeExcel.ThefirstlineofthefiledefinestheattributesbytheirLDAPattributenames.Eachobjectfollows,oneperline,andmustcontainexactlytheattributeslistedonthefirstline.AsamplefileisshowninExcelasfollows.
Whenimportingcomputers,besuretoincludetheuserAccountControlattribute,andsetitto4096.Thisattributeensuresthatthecomputerwillbeabletojointheaccount.AlsoincludethepreWindows2000logonnameofthecomputer,thesAMAccountNameattribute,whichisthenameofthecomputerfollowedbyadollarsign($),asshownintheprecedingsample.
Import Computers with LDIFDE
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 31/99
LDIFDE.exeimportsdatafromfilesintheLDAPDataInterchangeFormat(LDIF)format.LDIFfilesaretextfileswithinwhichoperationsarespecifiedbyablockoflinesseparatedbyablankline.EachoperationbeginswiththeDNattributeoftheobjectthatisthetargetoftheoperation.Thenextline,changeType,specifiesthetypeofoperation:add,modify,ordelete.
ThefollowinglistingisanLDIFfilethatwillcreateacomputeraccountintheServersOU.
dn: CN=FILE25,OU=File,OU=Servers,DC=contoso,DC=com changetype:add objectClass: top objectClass: person objectClass:
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 32/99
organizationalPerson objectClass: user objectClass: computer cn:
FILE25 userAccountControl: 4096 sAMAccountName: FILE25$
ThebasicsyntaxoftheLDIFDEcommandissimilartothatoftheCSVDEcommand.
ldifde [-i] [-f "Filename"] [-k]
Bydefault,LDIFDEisinexportmode.Theioptionspecifiestheimportmode.Youmustspecifyftoidentifythefileyouareusingforimportorexport.LDIFDEwillstopwhenitencounterserrors,unlessyouspecifythekoption,inwhichcase,LDIFDEcontinuesprocessing.
Create Computer Accounts with DSAdd and PowerShell
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 33/99
TheDSAddcommandisusedtocreateobjectsinActiveDirectory.Tocreatecomputerobjects,simplytypethefollowingcommand.
dsadd computer ComputerDN
whereComputerDNisthedistinguishedname(DN)ofthecomputer,suchasCN=DESKTOP123,OU=NYC,OU=ClientComputers,DC=contoso,DC=com.
IfthecomputersDNincludesaspace,surroundtheentireDNwithquotationmarks.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 34/99
TheDSAddComputercommandcantakethefollowingoptionsaftertheDNoption:
samidComputerName
descDescription
locLocation
NoteContentinthefollowingsectionisspecifictoWindowsServer2008R2.
YoucanalsousetheActiveDirectorymoduleforWindowsPowerShelltocreateacomputeraccountinADDS.Thefollowingexampledemonstrateshowtocreateanewcomputer,DESKTOP123,intheClientComputersOUinthecontoso.comdomain.
New-ADComputer -SamAccountName DESKTOP123 Path OU=ClientComputers,DC=contoso,DC=com'
ForafullexplanationoftheparametersthatyoucanpasstoNewADComputer,attheActiveDirectorymodulecommandprompt,typeGetHelpNewADComputer
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 35/99
detailed,andthenpressEnter.
Create and Join Computers with NetDom and PowerShell
TheNetDomcommandisalsoabletoperformavarietyofdomainaccountandsecuritytasksfromthecommandprompt.YoucanalsouseNetDomtocreateacomputeraccount,bytypingthefollowingcommand.
netdom add ComputerName /domain:DomainName [/ou:"OUDN"][/UserD:DomainUsername /PasswordD:DomainPassword]
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 36/99
ThiscommandcreatesthecomputeraccountforComputerNameinthedomainindicatedbythe/domainoption,usingthecredentialsspecifiedby/UserDand/PasswordD.The/ouoptioncausestheobjecttobecreatedintheOUspecifiedbytheorganizationalunitdistinguishedname(OUDN)followingtheoption.IfnoOUDNissupplied,thecomputeraccountiscreatedinthedefaultcomputercontainer.Theusercredentialsmust,ofcourse,havepermissionstocreatecomputerobjects.
Using NetDom.exe
TheNetDom.execommandallowsyoutojoinacomputertothedomainfromthecommandprompt.Thebasicsyntaxofthecommandisasfollows.
netdom join MachineName /Domain:DomainName [/OU:"OUDN"][/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ][/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ][/SecurePasswordPrompt] [/REBoot[:TimeInSeconds]]
Itcanbeusefultojoinamachinetoadomainfromthecommandprompt.Thefirstreasonthisisusefulisbecausethejoincanbeincludedinascriptthatperformsotheractions.Forexample,youcouldcreateabatchfilethatcreatesthecomputeraccountbyusingNetDomorDSAddthelatterofwhichallowsyoutospecifyotherattributes,includingdescriptionandthenjoinsthemachinetothataccountbyusingNetDom.Second,NetDom.execanbeusedtoremotelyjoinamachinetothedomain.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 37/99
Third,NetDom.exeallowsyoutospecifytheOUforthecomputerobject.Thecommandsoptionsare,forthemostpart,selfexplanatory./UserOand/PasswordOarecredentialsthataremembersoftheworkgroupcomputerslocalAdministratorsgroup.Specifying*forthepasswordcausesNetDom.exetopromptforthepasswordatthecommandprompt./UserDand/PasswordDaredomaincredentialswithpermissiontocreateacomputerobject,iftheaccountisnotprestaged,ortojoinacomputertoaprestagedaccount.The/rebootoptioncausesthesystemtorebootafterjoiningthedomain.Thedefaulttimeoutis30seconds.The/SecurePasswordPromptoptiondisplaysapopupforcredentialswhen*isspecifiedforeither/PasswordOor/PasswordD.
NoteIfyouwanttouseNetDomremotely,theWindowsFirewallconfigurationonthecomputerthatwillbejoinedtothedomainmustallowNetworkDiscoveryandRemoteAdministration.
Using Windows PowerShell
NoteContentinthefollowingsectionisspecifictoWindowsServer2008R2.
Besidethenetdomcommand,youcanalsouseWindowsPowerShellwithActiveDirectoryModuletoperformadomainjoinforalocalmachine.InPowerShell,youshouldusetheAddComputercmdlettoperformadomainjoin.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 38/99
Thefollowingexampledemonstrateshowtoaddthelocalcomputeronwhichthiscommandisbeingrun,tothecontoso.comdomain.ThelocalcomputerisaddedtotheOUinthedirectorythatisspecifiedbytheOUPathparameter,usingthecurrentloggedonusercredentials.Youmustrunthiscommandonthelocalcomputer.
Add-Computer -DomainOrWorkgroupName Contoso -OUPath OU=ClientComputers,DC=contoso,DC=com
ForafullexplanationoftheparametersthatyoucanpasstoAddComputer,attheActiveDirectoryModulecommandprompt,typeGetHelpAddComputerdetailed,andthenpressEnter.
Lab A: Create Computers and Join the Domain
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 39/99
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmustcompletethefollowingsteps:
1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.
2. InHyperVManager,click6425CNYCDC1and6425CNYCDC2,andintheActionspane,clickStart.
3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
4. Logonbyusingthefollowingcredentials:
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 40/99
Username:Pat.Coleman_Admin
Password:Pa$$w0rd
Domain:Contoso
5. OpenWindowsExploreron6425CNYCDC1andthenbrowsetoD:\Labfiles\Lab05a.
6. RunLab05a_Setup.batwithadministrativecredentials.UsetheaccountPat.Coleman_Admin,withthepassword,Pa$$w0rd.
7. Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue.
8. ClosetheWindowsExplorerwindow,Lab05a.
9. InHyperVManager,click6425CNYCSVR2,andintheActionspane,clickStart.
10. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.DonotlogontoNYCSVR2untildirectedtodoso.
Lab Scenario
YouareanadministratorforContoso,Ltd.Duringasecurityaudit,itwasidentifiedthatthereisnocontroloverthecreationofnewcomputeraccounts:bothclientsandserversarebeingaddedtothedomainwithnoassurancethatprocessisbeing
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 41/99
followed.Infact,anumberofcomputeraccountswerediscoveredintheComputerscontainer.Thesecomputerobjectswereforactivecomputeraccounts,butthecomputershadnotbeencreatedinormovedtothecorrectOUswithintheClientComputersorServersOUsaccordingtostandardprocedures.Youvebeentaskedwithimprovingtheprocedures.
Exercise 1: Join a Computer to the Domain with the WindowsInterface
Inthisexercise,youwilljoinacomputertothedomainusingtheWindowsinterface,andthenyouwillremovethemachinefromthedomain.
Themaintasksforthisexerciseareasfollows:
1. IdentifyandcorrectaDNSconfigurationerror.
2. JoinNYCSVR2tothedomain.
3. VerifythelocationoftheNYCSVR2account.
4. RemoveNYCSVR2fromthedomain.
5. DeletetheNYCSVR2account.
Task 1: Identify and correct a DNS configuration error.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 42/99
1. LogontoNYCSVR2asAdministrator,withthepassword,Pa$$w0rd.
2. OpenSystemPropertiesbyusingoneofthefollowingmethods:
ClickStart,rightclickComputer,andthenclickProperties.
OpenSystemfromControlPanel.
PresstheWindowslogokeyandthePausekey.
3. Attempttojointhecomputertothedomain,contoso.com,beingsuretousethefullyqualifieddomainname(contoso.com)ratherthantheNetBIOSnameforthedomain(contoso).
DoingsoteststhatDNSisconfiguredcorrectlyontheclientforlocatingthedomain.
4. ChangetheDNSServerconfigurationontheclientto10.0.0.10.
Question:Whymightthejoinhavesucceededifyouhadusedthedomainnamecontoso,insteadofcontoso.com?WhatmightgowrongafterthedomainwassuccessfullyjoinedbutwithDNSincorrectlyconfigured?
Answer:TheuseofthefullyqualifiednameforcedthenameresolutionprocesstouseDNS,andbecauseDNSfailed,thedomainjoinfailed.Thedomainname,contoso,isaflatdomainnamethatcouldberesolvedthroughNetBIOSnameresolution.Eventhoughthedomainjoinwouldbesuccessful,theclientwouldlikelyhaveproblemslocatingdomaincontrollersinothersites,andlocatingotherresourcesinthedomain.Performingthe
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 43/99
joinwithafullyqualifieddomainnameensuresthatDNSisfunctioningbeforejoiningthedomain.
Task 2: Join NYC-SVR2 to the domain.
1. JoinNYCSVR2tothedomain.Whenpromptedfordomaincredentials,entertheusername,Aaron.Painter,andthepassword,Pa$$w0rd.
2. NotethatAaron.Painterisastandarduserinthecontoso.comdomain.Hehasnospecialrightsorpermissions,andyetheisabletojoinacomputertothedomain.Hedoeshavetobeloggedontothecomputerwithanaccountthatisamemberofthecomputer'sAdministratorsgroup.
3. Allowthesystemtorestart.
Task 3: Verify the location of the NYC-SVR2 account.
1. OnNYCDC1,runActiveDirectoryUsersandComputersasanadministrator,withtheusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2. LocatetheNYCSVR2account.
Question:InwhichOUorcontainerdoestheaccountexist?
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 44/99
Answer:TheComputerscontainer.
Task 4: Remove NYC-SVR2 from the domain.
1. LogontoNYCSVR2asAdministrator,withthepassword,Pa$$w0rd.
2. ChangeNYCSVR2'sdomain/workgroupmembershiptoaworkgroupnamed,WORKGROUP.
3. Restarttheserver.
Task 5: Delete the NYC-SVR2 account.
Question:OnNYCDC1,refreshtheviewoftheComputerscontainerandexaminetheNYCSVR2account.Whatisitsstatus?
Answer:ThestatusisDisabled.
Question:YouwerenotpromptedfordomaincredentialsinTask4,andyetachangewasmadetothedomain:thecomputeraccountwasresetanddisabled.Whatcredentialswereusedtodothis?Whatcredentialswereusedtochangetheworkgroup/domainmembershipofNYCSVR2?
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 45/99
Answer:Thisisatrickyquestion.Domaincredentialswithappropriatepermissionsarerequiredtomakeachangetothedomain,suchasresettinganddisablingacomputeraccountandcredentialsthatareinthelocalAdministratorsgroupontheclientarerequiredtochangethecomputersworkgroup/domainmembership.
YouwereloggedontoNYCSVR2asthelocalAdministrator,soyouwereabletochangethecomputersworkgroup/domainmembership.Normally,youwouldhavebeenpromptedfordomaincredentials,butitjustsohappensthatthelocalAdministratoraccountsusername,Administrator,andpassword,Pa$$w0rd,areidenticaltothoseofthedomainAdministratoraccount,whichofcoursehaspermissiontomodifyobjectsinthedomain.Windowsattemptstoauthenticateyoubehindthescenes,andonlypromptsyoufordomaincredentialsifthatauthenticationfails.Inthiscase,becauseofthesimilarityincredentials,youwereactuallyauthenticatedasthedomainsAdministrator.
Inaproductionenvironment,thedomainsAdministratoraccountshouldhaveaverylong,complex,securepasswordthatisdifferentfromthepasswordsusedforAdministratoraccountsinthedomainmembercomputer.
DeletetheNYCSVR2computerobject.
Result:Inthisexercise,youbecamefamiliarwithtypicallegacypracticesusedto
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 46/99
joincomputerstoadomain.
Exercise 2: Secure Computer Joins
Inthisexercise,youwillimplementbestpracticestosecurethejoiningofmachinestothedomain.
Themaintasksforthisexerciseareasfollows:
1. Redirectthedefaultcomputercontainer.
2. Restrictunmanageddomainjoins.
3. ValidatetheeffectivenessofmsDSMachineAccountQuota.
Task 1: Redirect the default computer container.
1. OnNYCDC1,runacommandpromptasanadministratorwiththeusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2. UsetheRedirCmpcommandtoredirectthedefaultcomputerscontainertotheNewComputersOUinthecontoso.comdomain.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 47/99
Task 2: Restrict unmanaged domain joins.
1. RuntheADSIEditconsoleasanadministratorwiththeusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2. Connecttothedomainand,inthepropertiesofthedomain,changethemsDSMachineAccountQuotatozero(0).
Task 3: Validate the effectiveness of ms-DS-MachineAccountQuota.
LogontoNYCSVR2asAdministratorandattempttojoinNYCSVR2tothecontoso.comdomainjustasyoudidinExercise1.Whenpromptedfordomaincredentials,entertheusername,Aaron.Painter,andthepassword,Pa$$w0rd.
InExercise1,AaronPainterwasabletojointhedomain.Now,heisunabletojointhedomain.
Question:WhatmessagedoyoureceivewhenauserisnolongerabletocreateacomputerobjectbecauseofthemsDSMachineAccountQuota?
Results:Inthisexercise,youredirectedthecontainerforcreatingcomputeraccountstotheNewComputersOU,andrestrictedtheusersfromjoiningcomputerstothedomainwithoutexplicitpermissionstodoso.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 48/99
Exercise 3: Manage Computer Account Creation
Inthisexercise,youwillimplementseveralbestpracticesforcreatingcomputeraccountsandjoiningmachinestothedomain.
Themaintasksforthisexerciseareasfollows:
1. Prestageacomputeraccount.
2. JoinacomputerremotelytoaprestagedaccountbyusingNetDom.
Task 1: Prestage a computer account.
1. OnNYCDC1,runActiveDirectoryUsersandComputersasanadministratorwiththeusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2. IntheServers\FileOU,createanewcomputerobjectforNYCSVR2andgivetheAD_Server_Deploygrouppermissiontojointhecomputertothedomain.
Task 2: Join a computer remotely to a prestaged account by using NetDom.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 49/99
Inthistask,youwilljoinNYCSVR2tothedomainremotely,usingcredentialsthatareinthelocalAdministratorsgroupofNYCSVR2anddomaincredentialsthatareintheAD_Server_Deploygroup.
1. Runthecommandpromptasanadministrator,withtheusername,Aaron.Painter_Admin,andthepassword,Pa$$word.
NoteAaron.Painter_Adminisnotanadministrator.TheRunasanadministratorcommandallowsyoutorunaprocesswithanycredentials,aslongasthosecredentialshavesufficientprivilegetoruntheprocessitself.
2. Typethecommand,whoami/groups,tolistthegroupmembershipsofthecurrentaccount(Aaron.Painter_Admin).NotethattheuserisamemberofAD_Server_Deployandisnotamemberofanyotheradministrativegroup.
3. UsingtheNetDomcommand,joinNYCSVR2tothedomain.UsethelocalAdministratoraccountcredentialsforNYCSVR2andthedomaincredentialsforAaron.Painter_Admin,whoisamemberofAD_Server_Deployandthereforehaspermissiontojointhecomputertothedomain.Configuretheservertorebootautomaticallyin5seconds.
Typethefollowingcommand,andthenpressEnter.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 50/99
netdom join NYC-SVR2 /domain:contoso.com /UserO:Administrator/PasswordO:* /UserD:CONTOSO\Aaron.Painter_Admin /PasswordD:*/REBoot:5
NoteTheNYCSVR2firewallexceptionsareconfiguredforports135,139,andforNetworkDiscovery(NBNameIn).TheseexceptionsallowNetDomJointobeusedtoremotelyjoinNYCSVR2tothedomain.
4. Theserverrestarts.
5. LogontoNYCSVR2asContoso\Pat.Coleman,withthepasswordofPa$$w0rd.Thisconfirmsthattheserverhassuccessfullyjoinedthedomain.
6. LogofffromNYCSVR2.
Results:Aftercompletingthisexercise,NYCSVR2willbejoinedtothedomainwithanaccountintheServers\FileOU.
ImportantDonotshutdownthevirtualmachinesafteryoufinishthislabbecausethesettingsyouhaveconfiguredherewillbeusedinLabB.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 51/99
Lab Review Questions
Question:WhatdidyoulearnabouttheprosandconsofvariousapproachestocreatingcomputeraccountsinanADDSdomain?
Question:Whatarethetwocredentialsthatarenecessaryforanycomputertojoinadomain?
Lesson 2: Administer Computer Objects andAccounts
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 52/99
Acomputeraccountbeginsitslifecyclewhenitiscreatedandwhenthecomputerjoinsthedomain.DaytodayadministrativetasksincludeconfiguringcomputerpropertiesmovingthecomputerbetweenOUsmanagingthecomputeritselfandrenaming,resetting,disabling,enabling,andeventuallydeletingthecomputerobject.Thislessonlookscloselyatthecomputerpropertiesandproceduresinvolvedwiththesetasks,andwillequipyoutoadministercomputersinadomain.
Objectives
Aftercompletingthislesson,youwillbeableto:
Configurecomputeraccountproperties.
MoveacomputerbetweenOUs.
Recognizecomputeraccountproblems.
Resetacomputeraccount.
Renameacomputer.
Disableandenableacomputer.
Configure Computer Attributes
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 53/99
WhenyoucreateacomputerobjectbyusingActiveDirectoryUsersandComputers,youarepromptedtoconfigureonlythemostfundamentalattributes,includingthecomputernameandthedelegationtojointhecomputertothedomain.Computershaveseveralpropertiesthatarenotvisiblewhenyouarecreatingthecomputerobjectyoushouldconfigurethesepropertiesaspartoftheprocessofstagingthecomputeraccount.
OpenacomputerobjectsPropertiesdialogboxtosetitslocationanddescription,configureitsgroupmembershipsanddialinpermissions,andlinkittotheuserobjectoftheusertowhomthecomputerisassigned.TheOperatingSystemtabisreadonly.Theinformationwillbeblankuntilacomputerhasjoinedthedomainusingthataccount,atwhichtimetheclientpublishestheinformationtoitsaccount.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 54/99
SeveralobjectclassesinActiveDirectorysupportthemanagedByattributethatisshownontheManagedBytab.Thislinkedattributecreatesacrossreferencetoauserobject.Allotherpropertiestheaddressesandtelephonenumbersaredisplayeddirectlyfromtheuserobject.Theyarenotstoredaspartofthecomputerobjectitself.SomeorganizationsusetheManagedBytabtolinkthecomputertotheprimaryuserofthecomputer.Alternatively,youmightchoosetolinkthecomputertoagroupthatisresponsibleforthesupportofacomputer.Forexample,thisasanoptionmightbeattractiveforcomputeraccountsthatrepresentservers.
OntheMemberOftabofacomputersPropertiesdialogbox,youcanaddthecomputertogroups.TheabilitytomanagecomputersingroupsisanimportantandoftenunderutilizedfeatureofActiveDirectory.Agrouptowhichcomputersbelongcanbeusedtoassignresourceaccesspermissionstothecomputer,tofiltertheapplicationofaGPO,orasacollectionforasoftwaremanagementtool,suchasMicrosoftSystemCenterConfigurationManager2007.
Aswithusersandgroups,itispossibletoselectmorethanonecomputerobjectandsubsequentlymanageormodifypropertiesofallselectedcomputerssimultaneously.
Configuring Computer Attributes with DSMod
YoucanusetheDSModcommandtomodifythedescriptionandthelocationattributesofacomputerobject.Itusesthefollowingsyntax.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 55/99
dsmod computer "ComputerDN" [-desc "Description"] [-loc"Location"]
NoteContentinthefollowingsectionisspecifictoWindowsServer2008R2.
AttributesofacomputeraccountcanalsobemanagedbyusingWindowsPowerShellwithActiveDirectoryModule.
ThefollowingexampledemonstrateshowtomodifytheManagedByattributeofthecomputerLONSRV1.
Set-ADComputer LON-SRV1 -ManagedBy 'CN=SQL Administrator01,OU=UserAccounts,OU=Managed,DC=contoso,DC=com'
Move a Computer
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 56/99
ManyorganizationshavemultipleOUsforcomputerobjects.Somedomains,forexample,havecomputerOUsbasedongeographicsites,asshownearlierinthismodule.IfyouhavemorethanoneOUforcomputers,itislikelythatsomedayyouwillneedtomoveacomputerbetweenOUs.
TomoveacomputerbyusingtheActiveDirectoryUsersandComputerssnapin,youcanuseoneofthefollowingoptions:
Clickthecomputerandthendraganddropthecomputertothedesiredlocation.
Rightclickthecomputer,andthenclickMove.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 57/99
TheDSMovecommandallowsyoutomoveacomputerobjectoranyotherobject.ThesyntaxofDSMoveisasfollows.
dsmove ObjectDN [-newname NewName] [-newparent ParentDN]
Thenewnameoptionallowsyoutorenameanobject.Thenewparentoptionallowsyoutomoveanobject.Tomoveacomputernamed,DESKTOP153,fromtheComputerscontainertotheNYCOU,youwouldtypethefollowingcommand.
dsmove "CN=DESKTOP153,CN=Computers,DC=contoso,DC=com" -newparent "OU=NYC,OU=Client Computers,DC=contoso,DC=com"
Using Windows PowerShell
NoteContentinthefollowingsectionisspecifictoWindowsServer2008R2.
YoucanalsoperformthemoveprocessforacomputerbyusingWindowsPowerShellwithActiveDirectoryModule.Thisisperformedbyusingpipelinedcmdlets,GetADComputerandMoveADObject.Thefollowingexampledemonstrateshowtomovethecomputer,Workstation1,totheManagedComputersOUinthecontoso.comdomain.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 58/99
Get-ADComputer Workstation1 | Move-ADObject -TargetPath'OU=ManagedComputers,DC=contoso,DC=com'
Computer Account and Secure Channel
EverymembercomputerinanActiveDirectorydomainmaintainsacomputeraccountwithausername(sAMAccountName)andpassword,justlikeauseraccountdoes.Thecomputerstoresitspasswordintheformofalocalsecurityauthority(LSA)secretandchangesitspasswordwiththedomainevery30daysorso.TheNetLogonserviceusesthecredentialstologontothedomain,whichestablishesthesecurechannelwithadomaincontroller.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 59/99
Computeraccountsandthesecurerelationshipsbetweencomputersandtheirdomainarerobust.However,certainscenariosmightariseinwhichacomputerisnolongerabletoauthenticatewiththedomain.Examplesofsuchscenariosincludethefollowing:
Afterreinstallingtheoperatingsystemonaworkstation,theworkstationisunabletoauthenticate,eventhoughthetechnicianusedthesamecomputername.BecausethenewinstallationgeneratedanewSIDandbecausethenewcomputerdoesnotknowthecomputeraccountpasswordinthedomain,itdoesnotbelongtothedomainandcannotauthenticatetothedomain.
Acomputeriscompletelyrestoredfrombackupandisunabletoauthenticate.Itislikelythatthecomputerchangeditspasswordwiththedomainafterthebackupoperation.Computerschangetheirpasswordsevery30days,andActiveDirectoryremembersthecurrentandpreviouspassword.Iftherestoreoperationrestoredthecomputerwithasignificantlyoutdatedpassword,thecomputerwillnotbeabletoauthenticate.
AcomputersLSAsecretgetsoutofsynchronizationwiththepasswordknownbythedomain.Youcanthinkofthisasthecomputerforgettingitspasswordalthoughitdidnotforgetitspassword,itjustdisagreeswiththedomainoverwhatthepasswordreallyis.Whenthishappens,thecomputercannotauthenticateandthesecurechannelcannotbecreated.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 60/99
Recognize Computer Account Problems
Themostcommonsignsofcomputeraccountproblemsarethefollowing:
Messagesatlogonindicatethatadomaincontrollercannotbecontacted,thatthecomputeraccountmightbemissing,thatthepasswordonthecomputeraccountisincorrect,orthatthetrustrelationship(anotherwayofsayingthesecurerelationship)betweenthecomputerandthedomainhasbeenlost.Anexampleisshownhere.
Errormessagesoreventsintheeventlogindicatesimilarproblemsorsuggestthatpasswords,trusts,securechannels,orrelationshipswiththedomainoradomain
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 61/99
controllerhavefailed.OnesucherrorisNETLOGONEventID3210:FailedToAuthenticate,whichappearsinthecomputer'seventlog.
AcomputeraccountismissinginActiveDirectory.
Reset a Computer Account
Whenthesecurechannelfails,youmustresetthesecurechannel.Manyadministratorsdosobyremovingthecomputerfromthedomain,puttingitinaworkgroup,andthenrejoiningthedomain.Thisisnotagoodpracticebecauseithasthepotentialtodeletethecomputeraccountaltogether,whichlosesthecomputersSID,andmoreimportantly,itsgroupmemberships.Whenyourejointhedomain,
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 62/99
eventhoughthecomputerhasthesamename,theaccounthasanewSID,andallthegroupmembershipsofthepreviouscomputerobjectmustberecreated.
Do not remove a computer from the domain and rejoin it.
Ifthetrustwiththedomainhasbeenlost,donotremoveacomputerfromthedomainandrejoinit.Instead,resetthesecurechannel.
Toresetthesecurechannelbetweenadomainmemberandthedomain,usetheActiveDirectoryUsersandComputerssnapin,DSMod.exe,NetDom.exe,orNLTest.exe.Ifyouresettheaccount,thecomputersSIDremainsthesameanditmaintainsitsgroupmemberships.
ToresetthesecurechannelbyusingtheActiveDirectoryUsersandComputerssnapin:
1. Rightclickacomputer,andthenclickResetAccount.
2. ClickYestoconfirmyourchoice.
3. Rejointhecomputertothedomain,andthenrestartthecomputer.
ToresetthesecurechannelbyusingDSMod:
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 63/99
1. Typethefollowingcommand.
dsmod computer "ComputerDN" reset.
2. Rejointhecomputertothedomain,andthenrestartthecomputer.
ToresetthesecurechannelbyusingNetDom:
Typethefollowingcommand,
netdom reset MachineName /domain DomainName /UserO UserName/PasswordO {Password | *}
wherethecredentialsbelongtothelocalAdministratorsgroupofthecomputer.
Thiscommandresetsthesecurechannelbyattemptingtoresetthepasswordonboththecomputerandthedomain,soitdoesnotrequirerejoiningorrebooting.
ToresetthesecurechannelbyusingNLTest,onthecomputerthathaslostitstrust,typethefollowingcommand.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 64/99
NLTEST /SERVER:SERVERNAME /SC_RESET:DOMAIN\DOMAINCONTROLLER
Forexample,thefollowingcommand,likeNetDom,attemptstoresetthesecurechannelbyresettingthepasswordonboththecomputerandinthedomain,soitdoesnotrequirerejoiningorrestarting.
nltest /server:NYC-SVR2 /sc_reset:CONTOSO\NYC-SVR2
BecauseNLTestandNetDomresetthesecurechannelwithoutrequiringareboot,youshouldtrythosecommandsfirst.OnlyifthosearenotsuccessfulshouldyouusetheResetAccountcommandorDSModtoresetthecomputeraccount.
NoteContentinthefollowingsectionisspecifictoWindowsServer2008R2.
YoucanalsouseWindowsPowerShellwithActiveDirectoryModuletoresetacomputeraccount.Thefollowingexampledemonstrateshowtoresetthesecurechannelbetweenthelocalcomputerandthedomaintowhichitisjoined.Youmustrunthiscommandonthelocalcomputer.
Test-ComputerSecureChannel Repair
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 65/99
ForafullexplanationoftheparametersthatyoucanpasstoTestComputerSeureChannel,attheActiveDirectoryModulecommandprompt,typeGetHelpTestComputerSecureChanneldetailed,andthenpressEnter.
Rename a Computer
Whenyourenameacomputer,youmustbecarefultodoitcorrectly.Rememberthatthecomputerusesitsnametoauthenticatewiththedomain,soifyourenameonlythedomainobject,oronlythecomputeritself,theywillbeoutofsynch.Youmustrenamethecomputerinsuchawaythatboththecomputerandthedomainobject
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 66/99
arechanged.
Youcanrenameacomputercorrectlybyloggingontothecomputer,eitherlocallyorwitharemotedesktopsession.
1. OpenSystemPropertiesfromControlPanel.
2. IntheComputername,domain,andworkgroupsettingssection,clickChangeSettings.
3. IfyouarepromptedbyUserAccountControl,clickContinue.
4. ClicktheComputerNametab.
5. ClicktheChangebutton.
6. TypethenewnameandclickOKtwicetoclosethedialogboxes.
7. Restartthecomputertoallowthechangetotakeeffect.
Fromthecommandprompt,youcanusetheNetDomcommand,withthefollowingsyntax.
netdom renamecomputer MachineName /NewName:NewName[/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ]
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 67/99
[/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ][/SecurePasswordPrompt] [/REBoot[:TimeInSeconds]]
Inadditiontospecifyingthemachinetorename(MachineName)andthedesirednewname(NewName),youmusthavecredentialsthatareamemberofthelocalAdministratorsgrouponthecomputerandcredentialsthathavepermissiontorenamethedomaincomputerobject.Bydefault,NetDomwillusethecredentialswithwhichthecommandisrun.Youcanspecifycredentialsbyusing/UserOand/PasswordOforthecredentialsinthecomputerslocalAdministratorsgroup,and/UserDand/PasswordDforthedomaincredentialswithpermissiontorenamethecomputerobject.Specifying*forthepasswordcausesNetDom.exetopromptforthepasswordatthecommandprompt.The/SecurePasswordPromptoptiondisplaysapopupforcredentialswhen*isspecifiedforeither/PasswordOor/PasswordD.Afteryourenameacomputer,youmustrebootthecomputer.The/REBootoptioncausesthesystemtorebootafter30seconds,unlessotherwisespecifiedbyTimeInSeconds.
Whenyourenameacomputer,youcanadverselyaffectservicesrunningonthecomputer.Forexample,ActiveDirectoryCertificateServices(ADCS)reliesontheserversname.Becertaintoconsidertheimpactofrenamingacomputerbeforedoingso.Donotusethesemethodstorenameadomaincontroller.
NoteThecontentinthefollowingsectionisspecifictoWindowsServer2008R2.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 68/99
ItisalsopossibletouseWindowsPowerShellwithActiveDirectoryModuletorenameacomputer.YoucanusethisapproachtochangethelocalcomputernameandtochangetheActiveDirectorycomputerobjectname.Thefollowingexampledemonstrateshowtorenamethelocaldomainjoinedcomputeronwhichthecommandisbeingrun.Thiscommandmustberunonthelocalcomputer.
ReName-Computer -NCN MyComputer
Thesecondexampleshowshowtochangethenameofcomputerobjectnamed,Server1,intheManagedComputersOUinthecontoso.comdomain.
Rename-ADObjectCN=fabrikamsrv1,OU=ManagedComputers,DC=Fabrikam,DC=com NewNamefabrikamsrv3
Disable and Enable a Computer
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 69/99
Ifacomputeristakenofflineorisnottobeusedforanextendedperiodoftime,youshouldconsiderdisablingtheaccount.Thisrecommendationreflectsthesecurityprinciplethatanidentitystoreshouldallowauthenticationonlyoftheminimumnumberofaccountsrequiredtoachievethegoalsofanorganization.DisablingtheaccountdoesnotmodifythecomputersSIDorgroupmembership,sowhenthecomputerisbroughtbackonline,theaccountcanbeenabled.
TodisableacomputerintheActiveDirectoryUsersandComputerssnapin,rightclickthecomputer,andthenclickDisableAccount.
AdisabledaccountappearswithadownarrowiconintheActiveDirectoryUsersAndComputerssnapin,asshownhere:
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 70/99
Whileanaccountisdisabled,thecomputercannotcreateasecurechannelwiththedomain.Theresultisthatuserswhohavenotpreviouslyloggedontothecomputer,andwhothereforedonothavecachedcredentialsonthecomputer,willbeunabletologonuntilthesecurechannelisreestablishedbyenablingtheaccount.
Toenableacomputeraccount,rightclickthecomputer,andthenclickEnableAccount.
Todisableorenableacomputerfromthecommandprompt,usetheDSModcommand.Thesyntaxusedtodisableorenablecomputersisasfollows.
dsmod computer ComputerDN -disabled yes dsmod computerComputerDN -disabled no
Delete and Recycle Computer Accounts
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 71/99
Youhavelearnedthateachcomputeraccount,likeeachuseraccount,maintainsauniqueSID,whichenablesanadministratortograntpermissionstocomputers.Also,likeuseraccounts,computerscanbelongtogroups.Therefore,itisimportanttounderstandtheeffectofdeletingacomputeraccount.Whenacomputeraccountisdeleted,itsgroupmembershipsandSIDarelost.Ifthedeletionisaccidental,andanothercomputeraccountiscreatedwiththesamename,itisnonethelessanewaccount,withanewSID.Groupmembershipsmustbereestablished,andanypermissionassignedtothedeletedcomputermustbereassignedtothenewaccount.Deletecomputerobjectsonlywhenyouarecertainthatyounolongerrequirethosesecurityrelatedattributesoftheobject.
TodeleteacomputeraccountbyusingActiveDirectoryUsersandComputers,
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 72/99
performthefollowingsteps:
1. Rightclickthecomputerobject,andthenclickDelete.
Youarepromptedtoconfirmthedeletion,andbecausedeletionisnotreversible,thedefaultresponsetothepromptisNo.
2. ClickYestodeletetheobject.
TheDSRmcommandallowsyoutodeleteacomputerobjectfromthecommandprompt.TodeleteacomputerwithDSRm,typethefollowingcommand.
dsrm ObjectDN
WhereObjectDNisthedistinguishednameofthecomputer,suchasCN=Desktop154,OU=NYC,OU=ClientComputers,DC=contoso,DC=com.Again,youwillbepromptedtoconfirmthedeletion.
Recycling Computers
IfacomputeraccountsgroupmembershipsandSID,andthepermissionsassignedtothatSID,areimportanttotheoperationsofadomain,youdonotwanttodeletethataccount.Sowhatwouldyoudoifacomputerwasreplacedwithanewsystem,
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 73/99
withupgradedhardware?Thatisanotherscenarioinwhichyouwouldresetacomputeraccount.
Resettingacomputeraccountresetsitspassword,butmaintainsallofthecomputerobjectsproperties.Witharesetpassword,theaccountbecomes,ineffect,availableforuse.Anycomputercanthenjointhedomainusingthataccount,includingtheupgradedsystem.Ineffect,youverecycledthecomputeraccount,assigningittoanewpieceofhardware.Youcanevenrenametheaccount.TheSIDandgroupmembershipsremainthesame.
Asyoulearnedearlierinthislesson,theResetAccountcommandisavailableinthecontextmenuwhenyourightclickacomputerobject.TheDSModcommandcanalsobeusedtoresetacomputeraccount,whenyoutypedsmodcomputer"ComputerDN"reset.
Lab B: Administer Computer Objects and Accounts
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 74/99
Lab Setup
ThevirtualmachinesshouldalreadybestartedandavailableaftercompletingLabA.However,iftheyarenot,youshouldcompletesteps1to3andthenstepthroughexercises1to3inLabAbeforecontinuing.YouwillbeunabletosuccessfullycompleteLabBunlessyouhavecompletedLabA.
1. Start6425CNYCDC1.
2. LogontoNYCDC1asPat.Coleman.admin,withthepassword,Pa$$w0rd.
3. Start6425CNYCSVR2.Donotlogonuntildirectedtodoso.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 75/99
Lab Scenario
YouareanadministratorforContoso,Ltd.Duringasecurityaudit,anumberofcomputeraccountswerediscovered.Thosecomputersnolongerexistinthedomain.Youvebeentaskedwithimprovingthemanagementofcomputeraccounts,andidentifyingthebestpracticesforadministeringtheentirelifecycleofacomputeraccount.
Exercise 1: Administer Computer Objects Through Their Life Cycle
Inthisexercise,youwillconfigurecommonattributesofcomputerobjects,includingdescriptionandManagedBy.YouwillalsomanagethegroupmembershipofcomputersandmovecomputersbetweenOUs.
Themaintasksforthisexerciseareasfollows:
1. Configurecomputerobjectattributes.
2. Addcomputerstosoftwaremanagementgroups.
3. MoveacomputerbetweenOUs.
4. Disable,enable,anddeletecomputers.
Task 1: Configure computer object attributes.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 76/99
1. OnNYCDC1,runActiveDirectoryUsersandComputersasanadministrator,withtheusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2. IntheClientComputers\SEAOU,usetheManagedBytabofcomputerobjectstoassignLNO8538toLindaMitchellandLOT9179toScottMitchell.
3. BecauseScottandLindaMitchellwilloccasionallyuseeachother'scomputer,usemultiselecttochangethedescriptionofbothLNO8538andLOT9179toScottandLindaMitchell.
Task 2: Add computers to software management groups.
MicrosoftOfficeProjectisrequiredonbothScott'sandLinda'scomputers.Contoso,Ltd.usessecuritygroupsascollectionsforscopingthedeploymentofsoftware.Youwilladdeachoftheircomputerstothegroup,APP_Project,byusingtwodifferentmethods.
Method1
1. IntheClientComputers\SEAOU,rightclickLOT9179,andthenclickAddtoagroup.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 77/99
2. TypeAPP_andpressEnter.
TheMultipleItemsFounddialogboxappears.
3. ClickAPP_Project,andthenclickOK.
Amessageappears:TheAddtoGroupoperationwassuccessfullycompleted.
4. ClickOK.
Method2
1. Intheconsoletree,expandtheGroupsOU,andthenclickApplication.
2. RightclickAPP_Project,andthenclickProperties.
3. ClicktheMemberstab.
4. ClickAdd.
5. TypeLNO8538andpressEnter.
TheNameNotFounddialogboxappears.
Bydefault,theSelectUsers,Computers,orGroupsinterfacedoesnotsearchforcomputerobjects.
6. ClickObjectTypes.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 78/99
7. SelectthecheckboxnexttoComputers,andthenclickOK.
8. ClickOKtoclosetheNameNotFounddialogbox.
BothcomputerscannowbeseenontheMemberstab.
9. ClickOK.
Task 3: Move a computer between OUs.
ScottandLindaarerelocatingtotheVancouveroffice.YouwillmovetheircomputerstothenewOUbyusingtwodifferentmethods.
Method1
1. IntheClientComputers\SEAOU,clickLOT9179.
2. DragLOT9179intotheVANOU,visibleintheconsoletree.
AmessageappearsthatremindsyoutobecarefulaboutmovingobjectsinActiveDirectory.
3. ClickYes.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 79/99
Method2
4. RightclickLNO8538,andthenclickMove.
TheMovedialogboxappears.
5. Intheconsoletree,expandClientComputers,andthenclickVAN.
6. ClickOK.
Task 4: Disable, enable, and delete computers.
1. IntheClientComputers\SEAOU,disable,andthenenabletheaccountforDEP6152.
2. DeletetheaccountforDEP6152.
Result:Inthisexercise,youaddedcomputerstosoftwaremanagementgroups,movedacomputerbetweenOUs,anddeletedacomputer..
Exercise 2: Administer and Troubleshoot Computer Accounts
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 80/99
Inthisexercise,youwilladministerandtroubleshootcomputeraccountsandthesecurechannel.
Themaintasksforthisexerciseareasfollows:
1. Resetacomputeraccount.
2. Experienceasecurechannelproblem.
3. Resetthesecurechannel.
Task 1: Reset a computer account.
Recently,ScottMitchell'scomputerrequiredreinstallation.ThenamingconventionatContoso,Ltd.istousethenameofacomputerobjectasitsassettag,assignedbytheITinventoryteam.BecauseScottreinstalledhiscomputeronthesamepieceofhardware,thecomputernameisthesame:LOT9179.Henowwantstojointhemachinetothedomain,butthereisalreadyanaccountforLOT9179,andtheaccountisamemberofgroupsthatensurethecorrectsoftware(includingMicrosoftOfficeProject)andconfigurationareappliedtothesystem.Therefore,itisimportantthattheaccountnotbedeleted,sothatgroupmembershipscanberetained.
IntheClientComputers\VANOU,resettheaccountforLOT9179.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 81/99
YoucouldnowjoinScott'sreinstalledcomputertothedomain.
Task 2: Experience a secure channel problem.
1. LogontoNYCSVR2asPat.Coleman,withthepassword,Pa$$w0rd.Afterthedesktopappears,logoff.
2. To"break"thesecurechannel,useActiveDirectoryUsersandComputersonNYCDC1toresettheaccountforNYCSVR2.
3. AttempttologontoNYCSVR2asPat.Coleman,withthepassword,Pa$$w0rd.
Task 3: Reset the secure channel.
Tosolveabrokentrustrelationshipbetweenadomainmemberandthedomain,youcanresetthecomputer'saccount,movethecomputerintoaworkgroup,andthenrejointhedomain.
ResetthecomputeraccountforNYCSVR2.
Afterresettingthesecurechannel,youcouldmoveNYCSVR2intoaworkgroup,andthenrejointhedomain.Itwilljoinitsresetaccount,therebyretainingitsgroup
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 82/99
memberships.Donotperformthatstepatthistime.
Result:Inthisexercise,youresolvedsecurechannelissues..
Lab Review Question
Question:Whatinsightsdidyougainintotheissuesandproceduresregardingcomputeraccountsandadministeringcomputeraccountsthroughtheirlifecycle?
Lesson 3: Offline Domain Join
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 83/99
OfflineDomainJoinisanewfunctionalityspecifictoWindowsServer2008R2.Thisfunctionalityenablesadministratorstojoincomputerstodomainwithoutnetworkconnectivity.InthislessonyouwilllearnhowOfflineDomainJoinworksandhowtouseit.
Objectives
Aftercompletingthislessonyouwillbeableto:
DescribeOfflineDomainJoin.
DescribetheprocessforperforminganOfflineDomainJoin.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 84/99
PerformanOfflineDomainJoin.
NoteThecontentinthislessonisspecifictoWindowsServer2008R2.
What Is an Offline Domain Join?
InearlierWindowsversions,itwasmandatorytohaveanetworkconnectiontoadomaincontrollertojoinacomputertotheActiveDirectorydomain.Insomescenarios,thiscanbealimitation.Forexample,ifyouneedtoperformafullprovision
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 85/99
ofcomputersthatarecurrentlynotconnectedtoanetwork,ornotlocatedinthesameplaceasdomaincontrollers,youcannotcompletetheprocessunlessyoujointhecomputerstoadomain,andrestartthemoncemoreafternetworkconnectionsareestablished.
OfflineDomainJoinisanewfunctionalityinWindowsServer2008R2andWindows7thatallowsyoutojoinacomputertodomainwithoutactuallybeingconnectedtothenetworkwherethedomaincontrollerresides.Infact,allpreparationstepsareperformedonadomaincontrollerandacomputerwhileitisstilloffline.Afteritgetsconnectedtoanetwork,atrustrelationshipwiththedomainisestablishedwithoutanyuserintervention.Noadditionalrestartisnecessarytocompletethedomainjoin.Thishelpsreducethetimeandeffortrequiredtocompletealargescalecomputerdeploymentinplacessuchasdatacenters.
YoucanalsobenefitfromtheOfflineDomainJoinfeatureifyouaredeployingvirtualmachines.OfflineDomainJoinmakesitpossibleforyoutojointhevirtualmachinestothedomainwhentheyinitiallystartfollowingtheoperatingsysteminstallation.Noadditionalrestartisrequiredtocompletethedomainjoin.Thiscansignificantlyreducetheoveralltimerequiredforwidescalevirtualmachinedeployments.
ToperformanOfflineDomainJoin,youdonothavetohavedomaincontrollersrunningonWindowsServer2008R2,ItisalsonotmandatorytohavethedomainorforestintheWindowsServer2008functionalmode.Theonlyessentialrequirementforusingthismethodisthatthemachineusedforprovisioningandthemachine
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 86/99
beingprovisionedmusthaveWindows7orWindowsServer2008R2.
.
Process for Performing an Offline Domain Join
ToperformanOfflineDomainJoin,youmustuseanewcommandlineutilitynamed,Djoin.exe.ThisutilityisusedtobothprovisioncomputeraccountsintoADDSandforinsertingdomaindataintotheoperatingsystemofthecomputerthatisbeingjoinedtothedomainbyusingthismethod.
Performing an Offline Join by Using Djoin.exe
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 87/99
Djoin.exeperformsthefollowingtasks:
ProvisionsanewcomputeraccountintoADDS.Thisprecreatesacomputeraccountandsetsituptobeconnectedatalaterdate.
Generatesatextfile(ablob)thatcontainsinformationthatisnecessaryforanOfflineDomainJoin.Theblobcontainsthemachineaccountpasswordandotherinformationaboutthedomain,includingthedomainname,thenameofadomaincontroller,theSIDofthedomain,andsoon
Insertsthedataprovidedintheblobintotheoperatingsystemofthecomputerbeingjoinedtothedomain
Prerequisites for Performing an Offline Join
ThecomputeronwhichyourunDjoin.exetoprovisioncomputeraccountdataintoADDSmustberunningWindows7orWindowsServer2008R2.ThecomputerthatyouwanttojointothedomainmustalsoberunningWindows7orWindowsServer2008R2.
ItisnotmandatorythatyouperformanOfflineDomainJoinrightafteryouprovisionacomputeraccountintoADDS.Youcandoitatanytimelater.
ToperformanOfflineDomainJoin,youmusthavetherightsthatarenecessarytojoinworkstationstothedomainandtocreatecomputeraccountsinthedomain.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 88/99
MembersoftheDomainAdminsgrouphavetheserightsbydefault.IfyouarenotamemberoftheDomainAdminsgroup,amemberoftheDomainAdminsgroupmustdelegateyoutherighttojoincomputerstothedomainbyusingGroupPolicyorbyeditinganACLofthecontainerwherethecomputeraccountwillbestored.
Djoin.exeshouldberunatanelevatedcommandprompttoprovisionthecomputeraccountmetadata.Whenyouruntheprovisioningcommand,thecomputeraccountmetadataiscreatedina.txtfilethatyouspecifyaspartofthecommand.Afteryouruntheprovisioningcommand,youcaneitherrunDjoin.exeagaintorequestthecomputeraccountmetadataandinsertitintotheWindowsdirectoryofthedestinationcomputer,oryoucansavethecomputeraccountmetadataintheUnattend.xmlfileandthenspecifytheUnattend.xmlfileduringanunattendedoperatingsysteminstallationofthedestinationcomputer.
Offline Domain Join Process
TheOfflineDomainJoinprocessincludesthefollowingsteps:
1. Runthedjoin.exe/provisioncommandtocreatethecomputeraccountmetadataforthedestinationcomputer(thecomputerthatyouwanttojointothedomain).Aspartofthiscommand,youmustspecifythenameofthedomainthatyouwantthecomputertojoinandthenameofthecomputer,asfollows.
djoin /provision /domain contoso.com /machine DESKTOP123/savefile C:\desktop123.txt
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 89/99
Afterperformingthisstep,acomputeraccountnamed,DESKTOP123,willbeprovisionedtoADDS,andablobfilenameddesktop123.txtwillbecreated.Nowyouhavetotransferthisfiletothecomputerthatisbeingjoinedtothedomain.
NoteThebase64encodedmetadatablobthatiscreatedbytheprovisioningcommandcontainsverysensitivedata.Itshouldbetreatedjustassecurelyasaplaintextpassword.
2. Runthedjoin.exe/requestODJcommandtoinsertthecomputeraccountmetadataintotheWindowsdirectoryofthedestinationcomputer,asfollows.
djoin /requestODJ /loadfile desktop123.txt /windowspath%SystemRoot% /localos
3. Whenyoustartthedestinationcomputer,eitherasavirtualmachineorafteracompleteoperatingsysteminstallation,thecomputerwillbejoinedtothedomainthatyouspecify.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 90/99
Theswitch/localosfromthepreviouscommandisusedonlyifyouperformadjoinoperationonthecomputerthatyouarejoiningtothedomain.However,ifduringtheprovisioningprocess,youaremountingsystemharddrives(virtualorphysical)fromthecomputersthatyouareprovisioning,youshouldnotusethe/localosswitch.
NoteUsingdeploymenttoolssuchasWindowsSystemImageManager,youcanperformanunattendeddomainjoinduringanoperatingsysteminstallationbyprovidinginformationthatisrelevanttothedomainjoininanUnattend.xmlfile.UsingthesameUnattend.xmlfile,youcansupplytheinformationthatisnecessaryforthecomputersthatrunWindows7andWindowsServer2008R2toperformanOfflineDomainJoin.
Question:Whatisthecontentofthetextfilethatiscreatedduringadjoinprovisioningprocess?
Demonstration: Perform an Offline Domain Join
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 91/99
Inthisdemonstration,yourinstructorwillshowyouhowtoperformanOfflineDomainJoin.
Demonstration Steps
Provisionanewcomputeraccountcalled,NYCCL2,inthecontosodomainbyusingthedjoinutility.
Lab C: Perform an Offline Domain Join
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 92/99
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmust:
1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.
2. Ensurethatthe6425CNYCDC1virtualmachineisrunning.
3. Logonto6425CNYCDC1byusingthefollowingcredentials:
Username:Pat.Coleman_Admin
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 93/99
Password:Pa$$w0rd
Domain:Contoso
4. Startthe6425CNYCCL2virtualmachine.Donotlogontotheclientmachineuntildirectedtodoso.
Lab Scenario
YouareanadministratorforContoso,Ltd.Youmustprovisionalargenumberofnewcomputersinashortperiodoftime.Notallcomputerscanhavenetworkconnectivity,soyouhavedecidedtoleveragetheOfflineDomainJoinfunctionality.Inthislab,youwilltestthisfunctionalityononevirtualmachine.
Exercise: Perform an Offline Domain Join
Inthisexercise,youwillperformanOfflineDomainJoin.
Themaintasksforthisexerciseareasfollows:
1. Ensurethattheclientcomputerisnotjoinedtothedomain.
2. ProvisionacomputeraccountandperformanOfflineDomainJoin.
07/06/13 Module 5: Managing Computer Accounts
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 94/99
Task 1: Ensure that the client computer is not joined to the domain.
1. LogontoNYCCL2asAdmin,withthepassword,Pa$$w0rd.
2. OpenSystemPropertiesandensurethatthecomputerisjoinedtoaworkgroup,insteadofadomain
Task 2: Provision a computer account and perform an Offline Domain Join
1. OnNYCDC1,openacommandpromptusingadministrativecredentialsandusedjoin.exetoprovisionanewcomputeraccounttoADDSbytypingthefollowingcommand.
djoin /provision /domain contoso.com /machine NYC-CL2/savefile C:\NYC-CL2.txt
2. OpenActiveDirectoryUsersandComputersandverifythattheNYCCL2machinehasbeenprovisionedintheComputerscontainer.
3. OnNYCCL2,createafoldercalled