- Identity with Windows Server 2016:Microsoft 70-742 MCSA Exam Guide
- Vladimir Stefanovic Sasha Kranjac
- 395字
- 2021-07-02 13:40:48
Creating and managing computer accounts
Computers, like users, are security principals in AD DS that have an account with a logon name and password. Unlike users, the password for computer accounts is managed by Windows Server and changes automatically on a periodic basis. Computer accounts also authenticate against the domain and belong to one or more groups in AD DS. The most common tasks for computer accounts are moving between OUs and configuring properties.
Although computer accounts are automatically created when joining a computer to a domain, the proper procedure for this task requires us to create a computer account manually in AD DS before joining the computer to the domain. The creation process is very similar to creating a user account, and like a user account, it can be done using either MMC Snap-ins or PowerShell. Using Active Directory Users and Computers, you just need to populate the Computer Name field, and all other attributes can be configured later. Using the Active Directory Administrative Center, you need to populate the Computer Name field, because that's mandatory, but you'll configure many other attributes as well. PowerShell lovers will use the following command to create a computer account:
New-ADComputer -Name Server03 -Path "OU=Computers,OU=Packt,DC=mcsacertguide,DC=local"
By default, all computer accounts that are created using the New-ADComputer PowerShell cmdlet and without the -Path switch will be stored in the Computers system container.
A computer account that's created while joining the computer to the domain will be stored in the Computers system container as well.
All management tasks on a computer account can be done using either MMC Snap-ins or PowerShell. If you want to use MMC Snap-ins, you just need to configure some properties of the computer account. If you want to make changes using PowerShell, however, you need to use the Set-ADComputer or Set-ADObject PowerShell cmdlets, depending on the attribute that needs to be changed. Like user accounts, computer accounts are not by default protected from accidental deletion. During the creation process, this can be done using the Active Directory Administrative Center MMC Snap-in by checking the Protect from accidental deletion checkbox. This parameter can also be changed using Active Directory Users and Computers or the Set-ADObject PowerShell cmdlet using the same command, as for a user account:
Set-ADObject -Identity "CN=Server03,OU=Computers,OU=Packt,DC=mcsacertguide,DC=local"-ProtectedFromAccidentalDeletion:$true