As far as Active Directory is concerned, computers are very similar to users. In fact, computer objects inherit directly from the user object class, which is used to represent user accounts. That means thatcomputerobjects possess all of the attributes ofuserobjects and then some. Computers need to be represented in Active Directory for many of the same reasons users do, including the need to access resources securely, utilize GPOs, and have permissions assigned to them.
To participate in a domain, computers need a secure channel to a domain controller. A secure channel is an authenticated connection that can transmit encrypted data. To set up the secure channel, a computer must present a password to a domain controller. Similar to the way in which it authenticates a user account, Active Directory will use Kerberos authentication to verify the identity of a computer account. Without thecomputer object and, by association, the password stored with it that is changed behind the scenes on a regular basis by the operating system, there would be no way for the domain controller to verify a computer is what it claims to be.
The Anatomy of a Computer
The default location for computer objects in a domain is thecn=Computerscontainer located directly off the domain root. You can, however, createcomputer objects anywhere in a domain. And in Windows Server 2003, you can modify the default location forcomputerobjects as described in Recipe 8.12. Table 8-1 contains a list of some of the interesting attributes that are available oncomputerobjects.
Table 8-1. Attributes of computer objects
Attribute
Description
cn
Relative distinguished name ofcomputerobjects.
dnsHostName
Fully qualified DNS name of the computer.
Table 8-1. Attributes of computer objects (continued)
Attribute
Description
lastLogonTimestamp
The approximate timestamp of the last time the computer logged in to the domain. This is a new attribute in Windows Server 2003.
managedBy
The distinguished name (DN) of user or group that manages the computer.
memberOf
List of DNs of the groups the computer is a member of.
operatingSystem
Textual description of the operating system running on the computer. See Recipe 8.13 for more information.
operatingSystemHotFix
Currently not being used, but will hopefully be populated at some point.
operatingSystemServicePack
Service pack version installed on the computer. See Recipe 8.13 for more information.
operatingSystemVersion
Numeric version of the operating system installed on the computer. See Recipe 8.13 for more information.
pwdLastSet
Large integer that can be translated into the last time the computer’s password was set. See Recipe 8.9 for more information.
sAMAccountName
NetBIOS-style name of the computer. This is typically the name of the computer with$at the end.
userAccountControl
Account flag that defines various account properties. In the case of a computer object, this specifies whether the computer is a member computer or a domain controller.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
In the left pane, browse to the parent container for the computer, right-click on it, and select New -> Computer.
Enter the name of the computer. If necessary, place a checkmark next to “Assign this computer as a pre-Windows 2000 computer” or “Assign this computer as a backup domain controller.” Click Next to continue.
If you will be using this computer account as part of an RIS deployment, place a checkmark next to “This is a managed computer” and enter the GUID that it should use, and then click Next. Otherwise, just click Next to continue.
Click Finish.
Using a command-line interface
You can create a computer object using either the built-in DSAdd utility or AdMod. To create an account using DSAdd, use the following syntax:
' This code creates a computer object. ' ------ SCRIPT CONFIGURATION ----- strBase = "<ParentComputerDN>" ' e.g. cn=Computers,dc=rallencorp,dc=com strComp = "<ComputerName>" ' e.g. joe-xp strDescr = "<Description>" ' e.g. Joe's Windows XP workstation ' ------ END CONFIGURATION --------
Creating a computer object in Active Directory is not much different from creating auser object. We set thedescriptionattribute in the CLI and API solutions, but it is not a mandatory attribute. The only mandatory attribute issAMAccountName, which should be set to the name of the computer with$appended. Also note that these solutions simply create acomputerobject. This does not mean any user can join a computer to the domain with that computer account. For more information on creating acomputer object and allowing a specific user or group to join the computer to the domain, see Recipe 8.2.
See Also
Recipe 8.2 for creating a computer for a user, MS KB 222525 (Automating the Creation of Computer Accounts), MS KB 283771 (How to Prestage Windows 2000 Computers in Active Directory), MS KB 315273 (Automating the Creation of Computer Accounts), MS KB 320187 (How to Manage Computer Accounts in Active Directory in Windows 2000), and MSDN: ADS_USER_FLAG_ENUM
You want to create a computer account for a specific user or group to join to the domain. This requires setting permissions on the computer account so that the user or group can modify certain attributes.
Solution
Using a graphical user interface
Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
In the left pane, browse to the parent container for the computer, right-click on it, and select New -> Computer.
Enter the name of the computer.
Under “The following user or group can join this computer to a domain,” click the Change button.
Use the Object Picker to select a user or group to join the computer to the domain.
Click OK.
Using a command-line interface
In the following solution, replace <ComputerDN> with the distinguished name of thecomputerobject and <UserOrGroup>with the user principal name or NT-style name of a user or group you want to manage the computer:
You can replace the first line of this code with the AdMod code from Recipe 8.1 if you choose.
Using VBScript
' This code creates a computer object and grants a user/group rights over it. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ComputerName>" ' e.g. joe-xp strUser = "<UserOrGroup>" ' e.g. joe@rallencorp.com or RALLENCORP\joe strDescr = "<ComputerDescr>" ' e.g. Joe's workstation strDomain = "<ComputerDomain>" ' e.g. rallencorp.com ' ------ END CONFIGURATION ---------
set objSD = objComputer.Get("nTSecurityDescriptor") set objDACL = objSD.DiscretionaryAcl
' Special: Control Rights, List Children ' Generic Read, Delete, ' Delete Subtree, Read Permission set objACE1 = CreateObject("AccessControlEntry") objACE1.Trustee = strUser objACE1.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS Or _ ADS_RIGHT_ACTRL_DS_LIST Or _ ADS_RIGHT_GENERIC_READ Or _ ADS_RIGHT_DELETE Or _ ADS_RIGHT_DS_DELETE_TREE Or ADS_RIGHT_READ_CONTROL objACE1.AceFlags = 0 objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED
'############################ ' Set ACL '############################ objSD.DiscretionaryAcl = objDACL objComputer.Put "nTSecurityDescriptor", objSD objComputer.SetInfo WScript.Echo "Successfully created " & strComputer & _ " and gave rights to " & strUser
Discussion
By default, members of the Authenticated Users group can join up to 10 computers to an Active Directory domain. If you’ve modified this default behavior or need to allow a user to add computers to the domain on a regular basis, you need to grant certain permissions so that the user has rights to modify the computer object. When you create a computer via the ADUC snap-in, you have the option to select a user or group to manage thecomputerobject and join a computer to the domain using that object. When you use that method, eight ACEs are added to the ACL of thecomputer object. They are:
List Contents, Read All Properties, Delete, Delete Subtree, Read Permissions, All Extended Rights (i.e., Allowed to Authenticate, Change Password, Send As, Receive As, Reset Password)
Write Property for description
Write Property forsAMAccountName
Write Property fordisplayName
Write Property for Logon Information
Write Property for Account Restrictions
Validate write to DNS hostname
Validate write for service principal name
Using a graphical user interface
If you want to modify the default permissions that are applied when you select a user or group through the GUI, double-click on the computer object after you’ve created it and go to the Security tab. For the Security tab to be visible, you have to select View -> Advanced Features.
Using a command-line interface
With the dsacls utility, you can specify either a UPN (user@domain ) or down-level style (DOMAIN\user) account name when applying permissions. Also, dsacls requires that the displayNameof the attribute, property set, or extended right you are setting the permission on be used instead of thelDAPDisplayName, as one might expect. That is why we had to use “Validated write to service principal name,” which is thedisplayNamefor theValidated-SPN controlAccessRightobject, with the ACE for the SPN-validated write. dsacls is also case sensitive, so be sure to specify the correct case for the words in thedisplayName.
Using VBScript
After creating the computer object, similar to Recipe 8.1, create an ACE object for each of the eight ACEs previously listed using the IADsAccessControlEntry interface.
To apply the ACEs, retrieve the current security descriptor for the computer object, which is stored in thenTSecurityDescriptorattribute, and then add the eight ACEs. Finally, callSetInfoto commit the change to Active Directory. For more information on setting ACEs and ACLs programmatically, see theIADsAccessControlEntrydocumentation in MSDN.
See Also
Recipe 8.1 for creating a computer account, MS KB 238793 (Enhanced Security Joining or Resetting Machine Account in Windows 2000 Domain), MS KB 283771 (How to Prestage Windows 2000 Computers in Active Directory), MS KB 320187 (How to Manage Computer Accounts in Active Directory in Windows 2000), MSDN: IADsAccessControlEntry, MSDN: ADS_ACETYPE_ENUM, and MSDN: ADS_RIGHTS_ENUM, MSDN: ADS_FLAGTYPE_ENUM
'########################### ' Connect to Computer '########################### set objWMILocator = CreateObject("WbemScripting.SWbemLocator") objWMILocator.Security_.AuthenticationLevel = 6 set objWMIComputer = objWMILocator.ConnectServer(strComputer, _ "root\cimv2", _ strLocalUser, _ strLocalPasswd) set objWMIComputerSystem = objWMIComputer.Get( _ "Win32_ComputerSystem.Name='" & _ strComputer & "'")
'########################### ' Join Computer '########################### rc = objWMIComputerSystem.JoinDomainOrWorkGroup(strDomain, _ strDomainPasswd, _ strDomainUser, _ vbNullString, _ JOIN_DOMAIN) if rc <> 0 then WScript.Echo "Join failed with error: " & rc else WScript.Echo "Successfully joined " & strComputer & " to " & strDomain end if
Discussion
When trying to add a computer to Active Directory, you can either precreate the computer object as described in Recipes 8.1 and 8.2 before joining it to the domain, or you can perform both operations at the same time.
Using a graphical user interface
If you have the correct permissions in Active Directory, you can actually create a computer object at the same time as you join it to a domain via the instructions described in the GUI solution. Since the System applet doesn’t allow you to specify an OU for the computer object, if it needs to create a computerobject, it will do so in the defaultComputerscontainer. See Recipe 8.15 for more information on the default computers container and how to change it.
Using a command-line interface
The netdom command will attempt to create a computer object for the computer during a join if one does not already exist. An optional/OUswitch can be added to specify the OU in which to create thecomputerobject. To do so, you’ll need to have the necessary permissions to create and managecomputerobjects in the OU.
There are some restrictions on running thenetdom joincommand remotely. If a Windows XP machine has theForceGuestsecurity policy setting enabled, you cannot join it remotely. Running thenetdomcommand directly on the machine works regardless of theForceGuestsetting.
Using VBScript
In order for the Win32_ComputerSystem::JoinDomainOrWorkGroup method to work remotely, you have to use an AuthenticationLevel equal to 6 so that the traffic between the two machines (namely the passwords) is encrypted. You can also create computerobjects usingJoinDomainOrWorkGroupby using theACCT_CREATEflag in combination withJOIN_DOMAIN.
This function works only with Windows XP and Windows Server 2003 and is not available for Windows 2000 and earlier machines.
Just like with the netdom utility, you cannot run this script against a remote computer if that computer has theForceGuestsetting enabled.
See Also
More information on the ForceGuest setting can be found here: http://www.microsoft. com/resources/ documentation/Windows/XP/all/reskit/en-us/ prde_ffs_ypuh.asp, MS KB 238793 (Enhanced Security Joining or Resetting Machine Account in Windows 2000 Domain), MS KB 251335 (Domain Users Cannot Join Workstation or Server to a Domain), MS KB 290403 (How to Set Security in Windows XP Professional That Is Installed in a Workgroup), MSDN: Win32_ComputerSystem::JoinDomainOrWorkgroup, and MSDN: NetJoinDomain.
Please check back next week for the continuation of this article.
Windows Scripting 
Modifying Computer Objects with Active Directory
