MCITP 70-640: Active Directory Computer Accounts

• Report rights infringement
• published: 01 May 2012
• views: 49059

Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. This video looks at computer accounts in Active Directory. Each time you add a computer to the domain, a computer account is created for that computer in the Active Directory database. This video looks at how these computer accounts work and how to reset the computer accounts if the password in the computer accounts becomes out of sync with the password stored on the local computer. Demonstration 04:57 Computer Account A computer account in Active Directory is very simpler to a user accounts in Active Directory. Fundamentally, a computer and user account are made from the same attributes. Like a user account, the computer account has a password. Unlike a user account this password is randomly generated. This password is supply to the domain when the computer starts up which allows a secure connection to be created between the computer and the Domain Controller. This password is automatically changed after 30 days. If the computer has not connected to the domain for more than 30 days, the computer will still be able to access the domain. The password for the computer account will be changed next time the computer connects up to the domain. Resting the computer account Sometimes the password used on the local computer and that stored in the domain for the computer accounts become out of sync. When this occurs you will receive a message "The trust relationship between this workstation and the primary domain failed." When this occurs the computer will need to be readded to the domain. Pre-Stage Computer Accounts A computer accounts is automatically created for a computer when it is added to the domain. You can also manually create the computer account in advance before the computer is added to the domain. When this is done this referred to as pre-stage. There are a number of reasons why you may want to pre-stage the computer account: 1) Deployment solutions like Windows Deployments Solutions (WDS) can be configured to use only pre-stage accounts. This stop computers from being deployed unless a computer account has been created for them. This essentially puts some controls on images that are deploy using system like WDS. 2) A pre-stage computer account ensures that the computer is put into the correct organizational unit. If you do not use a pre-staged computer account, the computer account will be created in the default location of computers. The computers OU can't have additional group polices apply to it so limits how the computer can be administered. By pre-staging the computer ensures that administrators can control the computer using group policy as soon as the computer is added to the domain. 3) A pre-stage account allows a general user to be granted the right to add that computer to the domain. This means allows more granular administration to achieved rather than having to use an account like the administrators account. Demonstration To perform administration on computer accounts inside Active Directory , open Active Directory Users and Computers from administrative tools under the start menu. If you select a computer account, you can access the properties of the computer account by right clicking and selecting properties. The properties contains information about the computer like what type of computer it is. For example, a "workstation or server" or a Domain Controller with or without it being configured as global catalog server. To create a pre-stage computer account, open Active Directory User and Computers. Inside Active Directory User accounts, navigate to the OU that you want to create the computer account in. In the new computer dialog you can also set a user account that will be allowed to add the computer to the domain. To add a computer to the domain, open Windows Explorer and right click on computer and select properties. From the system properties, select the option change settings and then press the button change. This will allow you to remove or add the computer to a domain. To reset the password on a computer account, right click the computer account and select reset account. The computer will need to be removed from the domain and re-added again. When you remove the computer from the domain and palace it in a work group, you do not need to reboot the computer before adding it to the domain again. Once it is added to the domain, you will need to reboot the computer to complete the process. References "User and computer accounts" http://technet.microsoft.com/en-us/library/cc759279(v=ws.10).aspx "Resetting computer accounts in Windows" http://support.microsoft.com/kb/216393 "Machine Account Password Process" http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx "Pre-Stage Computer Account in Windows Server 2008" http://www.pctips3000.com/pre-stage-computer-account-in-windows-server-2008