Managing Computer Accounts
Microsoft® Windows® 2000 Scripting Guide
In Active Directory, computers are security principals, just like users. This means that computers must also have accounts and passwords, just like other security principals. To be fully authenticated by Active Directory, a user must not only have a valid user account, but he or she must also log on to the domain from a computer that has a valid computer account. If a user attempts to log on from an unauthorized computer, authentication will fail and the user will be denied access to important Active Directory capabilities such as Group Policy, roaming user profiles, remote installation, Quality of Service (QoS) networking, DNS, and applications that use Active Directory as a data store.
You cannot create computer accounts for computers running Microsoft® Windows® 95, Microsoft® Windows® 98, Microsoft® Windows® Millennium Edition, and Microsoft® Windows® XP Home Edition because these operating systems do not adhere to Active Directory security requirements. As a result, computers running these operating systems cannot join a domain, and users logging on from these computers will not have access to the complete range of Active Directory resources and services.
Attributes of an Active Directory Computer Account
Each computer account in Active Directory is an instance of the Computer class. This class has six mandatory attributes. (Attributes are also referred to as properties.) Mandatory attributes are properties that each account must have; you cannot create a computer account in Active Directory unless that account has each of the following attributes:
Common-Name
SAM-Account-Name
Instance-Type
NT-Security-Descriptor
Object-Category
Object-Class
.gif "note")
Note
- When you create a computer account, you need to specify that the account is for a computer and provide the Common-Name and the SAM-Account-Name. The other mandatory attributes will automatically be created for you.
In addition to the six mandatory attributes, the Computer class has scores of optional attributes that are inherited from the User class. These attributes vary in usefulness. Some, such as computer location, are extremely useful to administrators; by configuring the computer location attribute, administrators can use Active Directory as a way to identify the physical location of every computer in the organization.
Other attributes are meaningless when applied to a computer; for example, computers do not have user profile paths or home phone numbers (although Active Directory does not prevent you from assigning a user profile path or a home phone number to a computer). Although these might seem nonsensical, the Computer class possesses these attributes simply because the class was derived from the User class. As such, the Computer class inherited all the attributes found in the User class.
A subset of the attributes useful for working with computer accounts are listed in Table 9.1. All of these attributes are available after the computer account has been created.
Table 9.1 Attributes of the ADSI Active Directory Computer Account
Attribute |
Description |
|---|---|
accountDisabled |
Boolean value indicating whether the account is enabled for use. |
canonicalName |
Name of the computer in canonical form (for example, Server5.fabrikam.com). |
cn |
Common name of the computer (for example, Server5). |
company |
Name of the company responsible for the computer. This attribute can be useful in large organizations that encompass multiple companies. |
department |
Name of the department responsible for the computer. |
description |
Description of the computer. The description often includes information about the roles played by the computer. |
distinguishedName |
Distinguished name of the computer (in the format, CN=Server5, OU=Finance, DC=fabrikam, DC=com). |
division |
Name of the division responsible for the computer. |
dnsHostName |
Name of the computer as registered with the DNS server. |
location |
Physical location of the computer (often in the format Building Name/Floor Number/Room Number). |
name |
Name of the computer. |
operatingSystem |
Name of the operating system (such as Windows® 2000 Professional). |
operatingSystemServicePack |
ID string for the latest service pack installed on the computer (for example, SP4 indicates that the last service pack installed was service pack 4). |
operatingSystemVersion |
Version number for the operating system (for example, 5.0). |
sAMAccountName |
Logon name used to support clients and servers from a previous version of Windows (such as Microsoft® Windows NT® 4.0 and earlier, Windows 95, and Windows 98). The value of the sAMccountName attribute must be less than 20 characters to support computers running these operating systems. |
whenChanged |
Date the computer account was last modified. |
whenCreated |
Date the computer account was initially created. |