Active Directory and Computers (Page 1 of 4 )
Computers and users actually have a lot in common, at least from Active Directory's point of view. This article, the first in a four-part series, will explore how Active Directory handles computers. It is excerpted from chapter eight of the
Active Directory Cookbook, Second Edition, written by Robbie Allen and Laura E. Hunter (O'Reilly; ISBN: 059610202X). Copyright © 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.
As far as Active Directory is concerned, computers are very similar to users. In fact, computer objects inherit directly from the user object class, which is used to represent user accounts. That means thatcomputerobjects possess all of the attributes ofuserobjects and then some. Computers need to be represented in Active Directory for many of the same reasons users do, including the need to access resources securely, utilize GPOs, and have permissions assigned to them.
To participate in a domain, computers need a secure channel to a domain controller. A secure channel is an authenticated connection that can transmit encrypted data. To set up the secure channel, a computer must present a password to a domain controller. Similar to the way in which it authenticates a user account, Active Directory will use Kerberos authentication to verify the identity of a computer account. Without thecomputer object and, by association, the password stored with it that is changed behind the scenes on a regular basis by the operating system, there would be no way for the domain controller to verify a computer is what it claims to be.
The Anatomy of a Computer
The default location for computer objects in a domain is thecn=Computerscontainer located directly off the domain root. You can, however, createcomputer objects anywhere in a domain. And in Windows Server 2003, you can modify the default location forcomputerobjects as described in Recipe 8.12. Table 8-1 contains a list of some of the interesting attributes that are available oncomputerobjects.
Table 8-1. Attributes of computer objects
| Attribute | Description |
| cn | Relative distinguished name ofcomputerobjects. |
| dnsHostName | Fully qualified DNS name of the computer. |
Table 8-1. Attributes of computer objects (continued)
| Attribute | Description |
| lastLogonTimestamp | The approximate timestamp of the last time the computer logged in to the domain. This is a new attribute in Windows Server 2003. |
| managedBy | The distinguished name (DN) of user or group that manages the computer. |
| memberOf | List of DNs of the groups the computer is a member of. |
| operatingSystem | Textual description of the operating system running on the computer. See Recipe 8.13 for more information. |
| operatingSystemHotFix | Currently not being used, but will hopefully be populated at some point. |
| operatingSystemServicePack | Service pack version installed on the computer. See Recipe 8.13 for more information. |
| operatingSystemVersion | Numeric version of the operating system installed on the computer. See Recipe 8.13 for more information. |
| pwdLastSet | Large integer that can be translated into the last time the computer’s password was set. See Recipe 8.9 for more information. |
| sAMAccountName | NetBIOS-style name of the computer. This is typically the name of the computer with$at the end. |
| userAccountControl | Account flag that defines various account properties. In the case of a computer object, this specifies whether the computer is a member computer or a domain controller. |
Next: Creating a Computer >>
More Windows Scripting Articles
More By O'Reilly Media
|
 This article is excerpted from chapter eight of the Active Directory Cookbook, Second Edition, written by Robbie Allen and Laura E. Hunter (O'Reilly; ISBN: 059610202X). Check it out today at your favorite bookstore. Buy this book now.
|
|
