You want to modify one or more attributes of a computer object.
Solution
Using a graphical user interface
Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
a. Right-click on ADSI Edit in the right pane and click “Connect to....”
b. Fill in the information for the naming context, container, or OU you want to add an object to. Click on the Advanced button if you need to enter alternate credentials.
c. In the left pane, browse to the container or OU that contains the computer object you want to modify. Once you’ve found the object, right-click on it and select Properties.
Right-click the attribute you want to modify and select Edit.
Enter the new value and click OK.
Click Apply, followed by OK.
Using a command-line interface
Create an LDIF file called modify_object.ldf with the following contents:
Like all objects within Active Directory, computer objects have various attributes that can be queried, modified, and deleted during the day-to-day management of your domain. Because computer objects inherit from the user class, they include similar informational attributes to the user objects, as well as attributes that are specific to computer objects, including:
Location
Description
operatingSystemVersion
operatingSystemServicePack
sAMAccountName
pwdLastSet
primaryGroupID
See Also
Recipe 8.10 for finding inactive or unused computers, Recipe 8.13 for finding computers with a particular OS, and MSDN: Computer System Hardware Classes [WMI]
You want to find computers that have a certain OS version, release, or service pack in a domain.
Solution
Using a graphical user interface
Open LDP.
From the menu, select Connection -> Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection -> Bind.
Enter credentials of a user to perform the search.
Click OK.
From the Menu, select Browse -> Search.
For Base DN, enter the base of where you want your search to begin.
For Filter, enter a filter that contains the OS attribute you want to search on. For example, a query for all computers that are running Windows XP would be the following:
(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows XP Professional))
Select the appropriate Scope based on how deep you want to search.
Click the Options button if you want to customize the list of attributes returned for each matching object.
Click Run, and the results will be displayed in the right pane.
You can also perform this search using the Active Directory Users and Computers MMC snap-in (dsa.msc), as follows:
Open the ADUC MMC snap-in.
Right-click on the domain, OU, or container that you wish to search, and click Find.
In the Find drop-down box, select Computers.
Click on the Advanced tab. Click on Field and select Operating System.
Select the Condition that you want to search on from one of the following:
Starts with
Ends with
Is (exactly)
Is not
Present
Not present
In the Value field, enter the value that you want to search for, such as “Windows Server 2003.”
Click Find Now.
Using a command-line interface
You can query for computer objects of a particular operating system using either DSQuery or AdFind. To perform the query with DSQuery, use the following syntax:
' This code searches for computer objects that have Service Pack 1 installed. ' ------ SCRIPT CONFIGURATION ------ strBase = "<LDAP://" & "<DomainDN>" & ">;" ' ------ END CONFIGURATION ---------
set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" Set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) objRS.MoveFirst while Not objRS.EOF Wscript.Echo objRS.Fields(0).Value Wscript.Echo objRS.Fields(1).Value Wscript.Echo objRS.Fields(2).Value Wscript.Echo objRS.Fields(3).Value Wscript.Echo objRS.Fields(4).Value WScript.Echo objRS.MoveNext wend
Discussion
When a computer joins an Active Directory domain, the operating system attributes are updated for the computer object. There are four of these attributes, which can be used in queries to find computers that match certain OS-specific criteria, like service pack level.
These attributes include the following:
operatingSystem Descriptive name of the installed Operating System— e.g., Windows Server 2003, Windows 2000 Server, and Windows XP Professional
operatingSystemVersion Numerical representation of the operating system— e.g., 5.0 (2195) and 5.2 (3757)
operatingSystemServicePack Current service pack level if one is installed—e.g., Service Pack 2 and Service Pack 3
This recipe typically applies only to Windows-based machines. Other types of machines (e.g., Unix) that have accounts in Active Directory might not automatically update their OS attributes, though some newer Unix- or Linux-based NAS devices have been configured to do. Additionally, theoperatingSystem attribute does not distinguish between Windows NT 4 server and Windows NT 4 workstation.
where <DomainDN> is the distinguished name of a domain .
Click OK.
In the lefthand menu, you can now browse the default computers container for the domain.
Using a command-line interface
With tools like netdom, if there is an option to specify only the name of the computer and not its DN or parent container, the computer object will be created in the default Computers container by default. You can use the redircmp utility to change this default location, as we will discuss in Recipe 8.15.
Using VBScript
' This code illustrates how to bind to the default computers container. ' ------ SCRIPT CONFIGURATION ------ strDomain = "<DomainDNSName>" ' e.g. apac.rallencorp.com ' ------ END CONFIGURATION ---------
' Computer GUID as defined in ntdsapi.h Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"
In much the same way that the TCP/IP protocol defines a list of well-known ports that are commonly used by industry applications (TCP 20 and 21 for FTP, TCP port 80 for HTTP, etc.), Active Directory defines Well-Known GUIDs that map to container objects that are present in every AD installation. The Domain NC defines the following WKGUIDs:
Users
Computers
System
Domain Controllers
Infrastructure
Deleted Objects
Lost and Found
The Configuration NC also defines its ownDeleted Objects WKGUID.
For example, the default computers container has the following WKGUID:
aa312825768811d1aded00c04fd8d5cd
You can use the GUID to bind to the default computers container in the domain using the following ADsPath:
The list of well-known objects for a domain is contained in thewellKnownObjectsattribute of thedomainDNS object for the domain. ThewellKnownObjectsattribute is multivalued with DNWithBinary syntax. The following is an example of what that attribute looks like for the rallencorp.com domain:
Most Active Directory administrators do not use the Computers container within the Domain naming context as their primary computer repository. One reason is that since it is a container and not an OU, you cannot apply Group Policy Objects to it. If you have another location where you store computer objects, you might want to consider changing the default container used to bind to the computers container by changing the well-known objects attribute, as shown in this recipe. This can be beneficial if you want to ensure computers cannot sneak into Active Directory without having the appropriate group policies applied to them. While you can also apply GPOs at the site or the domain level, forcing new computers into a particular Organizational Unit ensures that those computers receive the Group Policy settings that you want them to receive through GPOs linked at the OU level. However, this does not protect you from an administrator (whether intentionally or accidentally) explicitly creating a computer object in the incorrect OU; this only protects you from applications or utilities that do not allow or do not require you to specify an OU when creating the computer.
See Recipe 8.14 for more information on how well-known objects are specified in Active Directory.
See Also
MS KB 324949 (Redirecting the Users and Computers Containers in Windows Server 2003 Domains)
Do Until objRecordSet.EOF Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value objRecordSet.MoveNext Loop
Discussion
Using VBScript
To obtain a list of domain controllers, rather than just computer objects, you should query the Configuration NC rather than the domain NC, and replace "where objectCategory=computer" with "where objectCategory=ntDSDSA".
See Also
MSDN: Object Class and Object Category [Active Directory] and MSDN: Object-Class Attribute [AD-Schema]
You want to identify the role that a particular computer serves in an Active Directory domain.
Solution
Using a graphical user interface
Open the Active Directory Users and Computers MMC snap-in.
Right-click on the domain node and select Find.
In the Find drop-down box, select Computers and click Find Now.
The role of each computer will be displayed in the Machine Role column in the Search Results window.
Using a command-line interface
> wmic computersystem get domainrole
For a domain controller that holds the PDC Emulator FSMO role, this will return the following output:
DomainRole 5
For a DC that doesn’t hold the PDCe FSMO, this command will return a value of 4.
Using VBScript
' The following code will return the domain role of the ' local computer. strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!" _ & strComputer & "\root\cimv2") Set colComputers = objWMIService.ExecQuery _ ("Select DomainRole from Win32_ComputerSystem") For Each objComputer in colComputers Select Case objComputer.DomainRole Case 0 strComputerRole = "Standalone Workstation" Case 1 strComputerRole = "Member Workstation" Case 2 strComputerRole = "Standalone Server" Case 3 strComputerRole = "Member Server" Case 4 strComputerRole = "Backup Domain Controller" Case 5 strComputerRole = "Primary Domain Controller" End Select Wscript.Echo strComputerRole Next
Discussion
Using a command-line interface
WMIC is the command-line component of the Windows Management Instrumentation that uses aliases to enable you to easily access WMI namespaces from the command line. To run wmic against a remote computer, specify the /node:"<ComputerFQDN> " switch.
Using VBScript
Rather than relying on an if...else construct to produce output, this script uses Select Case. In situations where there are numerous possible outcomes for a conditional statement, Select Case can produce far more elegant code than using numerous if...else statements.
Windows Scripting 
/ 7 
Securing Computers and Active Directory
