05 computers

8/13/2019 05 Computers

1/27

w

w

w.t

ec

hn

ocor

p.

co

.in Active DirectoryModule 5

Managing Computer Accounts


2/27

w

w

w.t

ec

hn

ocor

p.

co

.in

Module Overview

Create Computers and Join the Domain Administer Computer Objects and Accounts

Perform an Offline Domain Join


3/27

w

w

w.t

ec

hn

ocor

p.

co

.in

Create Computers and Join the Dom

Worgroups! Domains! and "rusts #e$uirements for Joining a Computer to the Domain

"he Computer%s Container and Organi&ational 'nits

Prestage a Computer Account

Join a Computer to the Domain

(ecure Computer Creation and Joins

Automate Computer Account Creation

)mport Computers with C(*D+

)mport Computers with ,D)-D+

Create Computer Accounts with D(Add and Power(hell

Create and Join Computers with .etDom and Power(hell


4/27

w

w

w.t

ec

hn

ocor

p.

co

.in

Worgroups! Domains! and "rusts

)n worgroup! (AM is the authority for authentication )dentity is local to each computer

)n domain! Active Directory

is the authority for authentication

Computers have a/trust relationship0

with the domain


5/27

w

w

w.t

ec

hn

ocor

p.

co

.in

#e$uirements for Joining a Computer t

Domain

1ou must have permissions to the computer object thayou to join a computer to the domain

1ou must be a member of the local Administrators grou

computer to change its domain or worgroup members

A computer object should e2ist in the directory service

)f it does not already e2ist! you must also have permission to

computer account in domain


6/27

w

w

w.t

ec

hn

ocor

p.

co

.in

"he Computer%s Container and

Organi&ational 'nits

"he default Computer%s container is a container!not an organizationalUnitobject

Cannot lin 3POs to a container

Cannot create sub4O's in a container

5est practice is to create O's for computer objects

(ervers

"ypically subdivided by server role

Client computers

"ypically subdivided by region

Divide O's based first on administration!

then to facilitate configuration with 3roup Policy


7/27

w

w

w.t

ec

hn

ocor

p.

co

.in

Prestage a Computer Account

Prestage 6pre4create7 a computer in the correct O'

#ight4clic the O' and choose .ew Computer

Computer .ame and Computer .ame 6Pre4Windows 89997 should be the same

'ser or group bo2 delegates permissions to the specified account to join the computer t


8/27

w

w

w.t

ec

hn

ocor

p.

co

.in

Join a Computer to the Domain

"he (ystem Properties dialog bo2 or window

Prompts for domain credentials

#e$uires restart


9/27

w

w

w.t

ec

hn

ocor

p.

co

.in

(ecure Computer Creation and Join

Prestage computer objects in the correct O's

Computer is in the correct O' and does not re$uire moving

3roup Policy applies to the computer immediately after joining the domain

"ighter security of computer O' and Computers container

Configure the default computer container

redircmp "DN of OU for new computer objects"

#estrict the ability of users to create computers 5y default! anyuser can join :9 machines to the domain

#e$uires no prestaging

Change the ms-DS-MachineAccountQuota value to 9

Delegate to appropriate groups the permission to create computer objects in the ap


10/27

w

w

w.t

ec

hn

ocor

p.

co

.in

Automate Computer Account Creati

C(*D+

)mport 6create7 or e2port computer accounts

,D)-D+

)mport 6create7! modify! or e2port computer accounts

D(Add

Create computer accounts and set initial properties

.etDom

Create computer accounts

Join machines to domain


11/27

w

w

w.t

ec

hn

oc

or

p.

co

.in

)mport Computers with C(*D+

C(*D+;e2e

csvde i -f filename[-k]

-i< )mport 6default mode is e2port7

4< Continue past errors 6such as Object Already +2ists7

)nclude userAccountControl column 6set to =9>?7 andsAMAccount.ame column 6set to computername@7

filename.ldf

Import

Export

CSVDE.exe


12/27

w

w

w.t

ec

hn

oc

or

p.

co

.in

)mport Computers with ,D)-D+

,ightweight Directory Access Protocol Data )nterchange -ormat 6,D)-7

,D)-D+;e2e

ldifde [-i] [-f filename] [-k]

4i< )mport

Default mode is e2port

4< Continue past errors

Object already e2ists

filename.ldf

Import

Export

LDIFDE.exe

dn: CN=FILE25,O=File, O= C=c#n$#s#,C=c#mc%&n'e$(pe: &dd#)*ec$Cl&ss: $#p#)*ec$Cl&ss: pers#n#)*ec$Cl&ss: #r'&ni+&$i#n)*ec$Cl&ss: ser#)*ec$Cl&ss: c#mp$ercn: FILE25ser.cc#n$C#n$r#l: /01s.3.cc#n$N&me: FILE254


13/27

w

w

w.t

ec

hn

oc

or

p.

co

.in

Create Computer Accounts with D(Add

Power(hell

D(Add creates objects in Active Directoryds&dd c#mp$er ComputerDN

ComputerD.< "he distinguished name 6D.7 of the computer

Multiple values can be provided byDomainController

Windows Power(hell< "est4Computer(ecureChannel G#epair


21/27

w

w

w.t

ec

hn

oc

or

p.

co

.in

#ename a Computer

'se (ystem Properties of the computer to rename the computer and

its account correctly

.etDom

ne$d#m ren&mec#mp$er MachineNameNe6N&me:NewName

[serO:LocalUsername] [&ss6#rdO:7LocalPassword89 ]

[ser:DomainUsername] [&ss6#rd:7DomainPassword89 ]

[!ecre&ss6#rdr#mp$] [;E


22/27

w

w

w.t

ec

hn

oc

or

p.

co

.in

Disable and +nable a Computer

Disable a computer if it will be offline for an e2tended time

(imilar to disabling a user who is on a leave of absence

Prevents secure channel from being established! so users who do not havcredentials on the computer cannot log on

Active Directory 'sers and Computers

#ight4clic computer! and then clic +nable Accountor Disable Account

D(Mod

dsm#d c#mp$er ComputerDN-dis&)led (esdsm#d c#mp$er ComputerDN-dis&)led n#


23/27

w

w

w.t

ec

hn

oc

or

p.

co

.in

Delete and #ecycle Computer Acco

Delete a computer with Active Directory 'sers and Computers

#ight4clic the computer! and then clic Delete

Delete a computer with D(#m

dsrm ObjectDN

Delete destroys ()D and group memberships

When replacing or reinstalling a computer! if computer will play the same rolecomputer account! instead of deleting it

Preserves all attributes of computer! including ()D and group memberships

1ou can rename object if computer is being renamed during reinstallationSupg

"his recycles the computer account


24/27

w

w

w.t

ec

hn

oc

or

p.

co

.in

Offline Domain Join

What )s an Offline Domain JoinT

Process for Performing an Offline Domain Join

Demonstration< Perfom an Offline Domain Join


25/27

w

w

w.t

ec

hn

oc

or

p.

co

.in

What )s an Offline Domain JoinT

An Offline Domain Join allows a client to fully achieve a domain4join

without ever having communicated with a domain controller

A trust relationship between a computer and a domain is establishedas the networ connection with a domain controller is established

#e$uirements

.o forest or domain functional level re$uirement

.o Windows (erver 899U #8 DCs re$uired

"he computer being joined must be a Windows V client or a Windows (erve

member


26/27

w

w

w.t

ec

hn

oc

or

p.

co

.in

Process for Performing an OfflineDomain Join:; )f a nonadministrator is performing the offline domain join! appropriate rights must be delegated

8; #un the djoin /provision /domain contoso.com /machine DESKTOP123 /savefie !"#des$top123

provision the computer account object and create the blob file

F; "ransfer the blob file with domain information to client computer system hard drive

=; djoin Sre$uestODJ Sloadfile destop:8F;t2t

Swindowspath (ystem#oot 6Slocalos7

; #estart the client computer

BLOB

Win7

BLOB


27/27

w

w

w.t

ec

hn

oc

or

p.

co

.in

Demonstration< Perform Offline DomJoin )n this demonstration! your instructor will show you how

perform an Offline Domain Join

05 computers

Documents