Managing Computer Object Permissions
In previous topic, you learned that you could join a computer to a domain by providing domain administrator credentials when prompted by the computer during the join process. Security concerns, however, require us to use the minimum necessary credentials to achieve a particular task, and it does seem like overkill to need a Domain Admins’ account to add a desktop to the domain.
Fortunately, Active Directory allows you to control, with great specificity, the groups or users that can join a computer to a domain computer account. Although the default is Domain Admins, you can allow any group (for example, a group called “Installers”) to join a machine to an account. This is most easily achieved while creating the computer object.
When you create a computer object, the first page of the New Object–Computer dialog box indicates The Following User or Group Can Join This Computer to A Domain. Click Change and you can select any user or group. This change modifies a number of permissions on the computer object in Active Directory.
The following page of the New Object–Computer dialog box prompts you for the globally unique identifier (GUID) of the computer, which is necessary if you install a system using Remote Installation Services (RIS). For more information on RIS, see the Microsoft online Knowledge Base, http://support.microsoft.com/.
If the computer that is using the account that you are creating is running a version of Windows earlier than 2000, select the Assign This Computer Account As A Pre–Windows 2000 Computer check box. If the account is for a Windows NT backup domain controller, click Assign This Computer Account As A Backup Domain Controller.
Configuring Computer Properties
Computer objects have several properties that are not visible when creating a computer account in the user interface. Open a computer object’s Properties dialog box to set its location and description, configure its group memberships and dial-in permissions, and link it to a user object of the computer’s manager. The Operating System properties page is read-only. The information is published automatically to Active Directory, and will be blank until a computer has joined the domain using that account.
Several object classes in Active Directory support the Manager property that is shown on the Managed By property page of a computer. This linked property creates a cross-reference to a user object. All other properties the addresses and telephone numbers are displayed directly from the user object. They are not stored as part of the computer object itself.
The DSMOD command, as discussed in previous topic, can also modify several of the properties of a computer object. You will see the DSMOD command in action in the following section regarding troubleshooting computer accounts.
Finding and Connecting to Objects in Active Directory
When a user calls you with a particular problem, you might want to know what operating system and service pack is installed on that user’s system. You learned that this information is stored as properties of the computer object. The only challenge, then, is to locate the computer object, which may be more difficult in a complex Active Directory with one or more domains and multiple OUs.
The Active Directory Users and Computers snap-in provides easy access to a powerful, graphical search tool. This tool can be used to find a variety of object types. In this con-text, however, your search entails an object of the type Computer. Click the Find Objects In Active Directory button on the console toolbar. The resulting Find Computers dialog box is illustrated in below Figure. You can select the type of object (Find), the scope of the search (In), and specify search criteria before clicking Find Now.
Hi
ReplyDeleteI read this post two times.
I like it so much, please try to keep posting.
Let me introduce other material that may be good for our community.
Source: Property accountant interview questions
Best regards
Henry