Giáo trình ACNA - Chap08 pptx

CHAPTER OVERVIEW• Describe the process of adding a computer to an Active Directory domain • Create and manage computer objects • Troubleshoot computer accounts... UNDERSTANDING COMPUTER

Trang 1

WORKING WITH COMPUTER

ACCOUNTS

Chapter 8

Trang 2

CHAPTER OVERVIEW

• Describe the process of adding a computer

to an Active Directory domain

• Create and manage computer objects

• Troubleshoot computer accounts

Trang 3

UNDERSTANDING COMPUTER OBJECTS

• Logical representation in Active Directory of the

physical computer object

• A mean to track computers belonging to the

domain

• User cannot log on to the domain from a

computer without a computer account in Active Directory

• Can be granted permissions to other objects

• Inherit group policy settings from domains,

sites, and OUs

• Can be made a member of a security and

distribution group and inherit group permissions

Trang 4

CREATING COMPUTER OBJECTS

• Computer object must exist in Active

Directory before computer can be joined to

the domain.

• Computer object can be created using Active

Directory Users and Computers or a

command-line tool such as Dsadd.

• Computer account can also be created during

the domain joining process.

• Computer account SID is stored in Active

Directory computer account object

• Prevent a rogue computer from accessing the

network

Trang 5

COMPUTER ACCOUNT AUTHENTICATION

• Computer authenticate before user account is

• Pre-Windows 2000 the first 15 characters

• Password is generated automatically and kept hidden

• Account name up to 63 characters

• Pre-Windows 2000 the first 15 characters

Trang 6

CREATING COMPUTER OBJECTS USING

ACTIVE DIRECTORY USERS AND

COMPUTERS

Permission Requirements:

Administrators Account Operators Delegated control

Trang 7

DSADD.EXE

• Allows computer account creation to be scripted

• Provides a mechanism to create large amounts

of computer accounts at one time

Example:

DSAdd computer

“CN=MyComputer,CN=Computers,DC=MyCompany,DC=Com”

Trang 8

NETDOM.EXE

• Command-line utility

• Simpler to use than Dsadd

• Must be extracted from the support.cab

archive in the \Support\Tools folder on the Windows Server 2003 installation CD or

install by running suptools.msi

Example:

Netdom add MyComputer /Domain: Contoso.com /UserD: Admin /PasswordD: Secret

/OU: Organization

Trang 9

JOINING COMPUTERS TO A DOMAIN

Trang 10

JOINING A DOMAIN USING NETDOM.EXE

• Allows computers to be joined to the

domain from a command line

• Allows scripts to be developed to

streamline the process of joining a

computer to a domain

• Netdom join …

Trang 11

CREATING COMPUTER OBJECTS WHILE

JOINING THE DOMAIN

Trang 12

JOINING A DOMAIN DURING OPERATING SYSTEM INSTALLATION

Trang 13

LOCATING COMPUTER OBJECTS

• The Computers container

• The Domain Controllers OU

Trang 14

LOCATING DC COMPUTER OBJECTS

• Computer accounts for domain controllers

are placed in the system-created domain controllers OU by default

• The Default Domain Controllers Policy GPO

is applied to the container

Trang 15

LOCATING OTHER COMPUTER OBJECTS

• Non–domain-controller computer accounts

are placed in the Computers

system-created container by default

• Computer container does not support

group policy

Trang 16

REDIRECTING COMPUTER OBJECTS

• Allows an alternative default location for

computer accounts to be specified.

• Use the Redircmp.exe command-line utility.

• Works only on Windows Server 2003 domain

functional level.

• Automatically redirects all computer accounts

• Can be overridden by explicit computer

account creation commands.

Example: Redircmp ou=Workstations,DC=contoso,DC=com

Trang 17

MANAGING COMPUTER OBJECTS

• Computer objects have properties.

• Can be viewed and configured through

Active Directory Users and Computers

Trang 18

MODIFYING COMPUTER OBJECT

PROPERTIES

Trang 19

DELETING, DISABLING, AND RESETTING COMPUTER OBJECTS

• Reestablishes relationship between a

computer and Active Directory

Trang 20

DELETING COMPUTER OBJECTS

• Manually through Active Directory Users

and Computers

• Automatically by changing the domain

membership on the computer

• Using a command-line tool such as Dsrm

Trang 21

DISABLING COMPUTER OBJECTS

Trang 22

RESETTING A COMPUTER OBJECT

• Necessary when replacing or upgrading a

computer system

• Allows an appropriately named new

system to use an existing computer

account

• Allows computer account password on the

computer to be synchronized with

computer account password stored on the domain controller

Trang 23

MANAGING REMOTE COMPUTERS

• Allows you to perform management tasks

across the network

• Actually a shortcut to the Computer

Management MMC snap-in

Trang 24

MANAGING COMPUTER OBJECTS FROM THE COMMAND LINE

Trang 25

MANAGING COMPUTER OBJECT

PROPERTIES WITH DSMOD.EXE

• Can be used to modify properties of

existing computer account objects

• Useful for creating scripts and batch files

to automate changes

• Cannot be used to create or delete

computer account objects

Example:

DSMod computer CN=MyComp,CN=Computers,DC=Contoso,DC=com –reset

Trang 26

DELETING COMPUTER OBJECT

PROPERTIES WITH DSRM.EXE

• Can be used to delete computer account

objects from the command line

• Requires confirmation of deletion unless

the -noprompt switch is used

Example:

DSrm CN=MyComp,CN=Computers,DC=Contoso,DC=com

Trang 27

TROUBLESHOOTING COMPUTER

ACCOUNTS: PROBLEMS

controller cannot be contacted, that the

computer account might be missing, or that the trust between the computer and the

domain has been lost

indicate similar problems or suggest that

passwords, trusts, secure channels, or

relationships with the domain or a domain controller have failed

Tiêu đề	Working with Computer Accounts
Trường học	University of Information Technology - Ho Chi Minh City
Chuyên ngành	Computer Science
Thể loại	Giáo trình
Thành phố	Ho Chi Minh City

Định dạng
Số trang	30
Dung lượng	880 KB