Computer Account Flashcards
Computer accounts
Computer Account Facts
Computer Account Facts
A computer account is an Active Directory object that identifies a network computer. The account in Active Directory is associated with a specific hardware device. To identify a specific computer, two processes are required:
Create a computer account in Active Directory.
Join a computer to the domain. When you join the domain, the device is associated with the Active Directory computer account.
You can perform these processes in two different ways:
From Active Directory Users and Computers, create a computer account. This process is called prestaging computer accounts. From the workstation, join the domain. The workstation will be associated with the computer account you created previously.
From the workstation, join the domain. If the computer account does not exist in Active Directory, it will be created automatically. When you join a domain and create a new computer account in one step, the computer account is added to the Computers built-in folder in Active Directory.
Be aware of the following facts about computer accounts and joining a domain:
Because the Computers folder is not an OU, you cannot link a GPO to this container, meaning that only Group Policy settings in the domain will apply to these computers. For more control over Group Policy settings for computers or groups of computers, move computer accounts to OUs.
To control where computer accounts are placed when the computer joins the domain, create computer accounts ahead of time before joining the domain from the workstation.
The following group members can create a computer account:
Account Operators
Domain Admins
Enterprise Admins
Members of the Authenticated Users group can join up to 10 computers to a domain from a workstation (and create the computer account automatically if it does not already exist). This ability comes from the Add workstations to a domain user right. You can also allow specific users to join specific computers to a domain by selecting The following user or group can join this computer to a domain when creating the computer account.
You can grant other users permissions to create computer accounts by giving them the Create Computer Objects right over the Active Directory OU. This permission does not have a limit on the number of accounts that can be created. Note: You must grant this right to the domain or specific OUs.
To join a computer to a domain, you must be a member of the Administrators group on the local computer or be given the necessary rights.
Use the dsadd and netdom utilities to create computer accounts from a command prompt or a script. Use netdom to rename a computer account. Use netdom join to join a computer to a domain.
After a computer account is created, you must join the computer to the domain before the computer receives Group Policy settings or before Active Directory receives workstation-specific information.
Each computer has a password that is automatically-generated when the computer joins the domain.
When the computer boots, this password is used to authenticate the computer to the domain. This password is used to establish a secure channel between the computer and the domain controller.
The password is saved on the local computer and in Active Directory. By default, the password is changed automatically every 30 days.
If the two passwords become unsynchronized, the computer will not be able to connect to the domain, and you will see an error indicating that the computer failed to authenticate. This problem will also occur if you have rebuilt the computer, or if you are replacing the computer with another one using the same computer account name.
When computer logon fails, reset the computer account. To reset the account, use one of the following methods:
Run the netdom reset command followed by the computer account name and the domain.
In Active Directory Users and Computers, right-click the computer account and select Reset Account.
Create a script in Visual Basic.
After resetting the computer account, you must rejoin the computer to the domain.
