Deleting and Disabling and Resetting Computer Accounts

Computer accounts, like user accounts, maintain a unique SID, which enables an administrator to grant permissions to computers. Also like user accounts, computers can belong to groups. Therefore, like user accounts, it is important to understand the effect of deleting a computer account. When a computer account is deleted, its group memberships and SID are lost. If the deletion is accidental, and another computer account is created with the same name, it is nonetheless a new account with a new SID. Group memberships must be reestablished, and any permissions assigned to the deleted computer must be reassigned to the new account. Delete computer objects only when you are certain that you no longer require those security-related attributes of the object.

To delete a computer account using Active Directory Users And Computers, locate and select the computer object and, from the Action menu or the shortcut menu, select the Delete command. You will be prompted to confirm the deletion and, because deletion is not reversible, the default response to the prompt is No. Select Yes and the object is deleted.

The Dsrm command-line tool introduced in Chapter 3 allows you to delete a computer object from the command prompt. To delete a computer with Dsrm, type:

DSRM ObjectDN

Where ObjectDN is the distinguished name of the computer, such as "CN=Desktop15, OU=Desktops,DC=contoso,DC=com." Again, you will be prompted to confirm the deletion.

Tip When a computer is disjoined from a domain—when an administrator changes the membership of the computer to a workgroup or to another domain—the computer attempts to delete its computer account in the domain. If it is not possible to do so because of lack of connectivity, networking problems, or credentials and permissions, the account will remain in Active Directory. It might appear, immediately or eventually, as disabled. If that account is no longer necessary, it must be deleted manually.

If a computer is taken offline or is not to be used for an extended period of time, you should consider disabling the account. Such an action reflects the security principle that an identity store allow authentication only of the minimum number of accounts required to achieve the goals of an organization. Disabling the account does not modify the computer's SID or group membership, so when the computer is brought back online, the account can be enabled.

The context menu, or Action menu, of a selected computer object exposes the Disable Account command. A disabled account appears with a red "X" icon in the Active Directory Users And Computers snap-in, as shown in Figure 5-5.

^ Active Directory Users and Computers

1- lam

File Action View Window

Help -Ifll xjH

ih B11®1 ® H> f 'C & ts v ir

¡¡^ Active Directory Users and Compu El LJ Saved Queries El-f^iJ contoso.com

E---U?! Administrative Groups 0-Sa BobH ffl-d Builtin CH Computers {<£1 Desktops El' {t§\ Domain Controllers mEastBranch

I+l-l^n Fmnlnvppc

<1 1 H

Desktops 5 objects

d

Name | Type | Description

^)DE5KTOP01 Computer ^¡DE5KTOP02 Computer ^¡DE5KTOP03 Computer ^¡DE5KTOP04 Computer

^DE5KTOP05 Computer

<1 1 ►!

1 1 1

Figure 5-5 A disabled computer account

Figure 5-5 A disabled computer account

While an account is disabled, the computer cannot create a secure channel with the domain. The result is that users who have not previously logged on to the computer, and who therefore do not have cached credentials on the computer, will be unable to log on until the secure channel is reestablished by enabling the account.

To enable a computer account, simply select the computer and choose the Enable Account command from the Action or shortcut menus.

To disable or enable a computer from the command prompt, use the Dsmod command. The Dsmod command modifies Active Directory objects. The syntax used to disable or enable computers is:

DSMOD COMPUTER ComputerDN -DISABLED YES DSMOD COMPUTER ComputerDN -DISABLED NO

If a computer account's group memberships and SID, and the permissions assigned to that SID, are important to the operations of a domain, you do not want to delete that account. So what would you do if a computer were replaced with a new system with upgraded hardware? Such is one scenario in which you would reset a computer account.

Resetting a computer account resets its password but maintains all of the computer object's properties. With a reset password, the account becomes, in effect, "available" for use. Any computer can then join the domain using that account, including the upgraded system.

In fact, the computer that had previously joined the domain with that account can use the reset account by simply rejoining the domain. This reality will be explored in more detail in the troubleshooting lesson.

The Reset Account command is available in the Action and context menus when a computer object is selected. The Dsmod command can also be used to reset a computer account, with the following syntax:

dsmod computer ComputerDN -reset

The Netdom command, included with the Windows Server 2003 Support Tools in the CD-ROM's Support\Tools directory, also enables you to reset a computer account.

Was this article helpful?

0 0

Post a comment