Computer Account Administration
Digg
DZone
Reddit
Slashdot
StumbleUpon
del.icio.us
Facebook
FriendFeed
Furl
by Marcin Policht
Marcin Policht's latest article presents different ways of managing secure channel communication between domain members and domain controllers. An added bonus in the article is a script that automates the deletion of inactive computer accounts.
Even though computer accounts are treated similarly to user accounts, there are
several significant differences. When a computer becomes a member of a
domain, its name is registered with the primary domain controller with the
trailing "$". This also becomes its initial password. Based on this
password, Windows establishes a "secure channel", used for encrypting
communication between a domain member and domain controllers. This password gets
reset (typically within 10 minutes) by Netlogon service, which, from this point
on, changes it, by default, every 7 days. Netlogon also maintains the passwords
used for verifying trust relationships between two NT domains (although in this
case, the initial password is determined by administrators who initiate the
process). This process, however, does not apply to primary and backup domain
controllers. Their passwords do not change once they are installed in the
domain.
A workstation might also lose it domain membership status
if:
- the proper procedure has not been followed when changing the
workstation name. The workstation should be taken out of the domain, its name
should be changed, and after the reboot, the workstation should be added back to
the domain. The last step needs to be followed by the reboot,
- the
reboot of the computer after switching from one domain to another did not take
place within 10 minutes. Netlogon service resets the password for the secure
channel with the old domain, if the machine has not been restarted,
- machine went through recovery process using Emergency
Repair Disk involving SAM restore and the restored information was
outdated,
- the machine account was removed from the
SAM database on the primary domain controller.
One of the options you have in
order to eliminate these problems is disabling computer account password changes. This
is done by modifying the registry entry RefusePasswordChange of the type
REG_DWORD to 1 within the key: < BR >
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
on all of the domain controllers in the domain. The
procedure should be applied first to all the backup domain controllers and
finally to the one serving as the primary. A side benefit of this change
is ability to setup a dual boot machine with each installation using the
same domain machine account.
In case you consider disabling machine
accounts passwords changes to be too drastic, you have a couple of other
recourses. The procedure for testing and resetting secure channel depends on
whether you operate in Windows NT or Windows 2000 environment.
In
Windows NT 4.0 environment, you can use:
- NLTEST.EXE provided with the
original release of the Windows NT 4.0 Resource Kit to verify trust
relationships. The tool can be used to test both trust relationships (between
trusted and trusting domains, between domain controllers, between domain members
and domain controllers) and secure channels. Options offered by NLTEST are
described in the Technet Article Q158148.
- NETDOM.EXE Windows NT 4.0
version- provided with Windows NT 4.0 Resource Kit supplement 2 and 3 and
hotfixed to the version 1.8 (after the version 1.7 was broken by the Windows NT
Service Pack 4). Windows 2000 version of NETDOM does not work with Windows NT
4.0 systems. Using /JOINDOMAIN option resets the Secure Channel and revalidates
the machine account.
- a script written in
VBScript (or JScript) with WinNT ADSI provider. The script takes advantage of
the fact that the initial computer password is identical to its account name
registered with the primary domain controller (consisting of the computer name
with the "$" suffix):
Dim objComputer
Dim strDomain
Dim
strComputer
strDomain = "MyDomain"
strComputer = "MyComputer"
Set objComputer = GetObject("WinNT://" & strDomain & "/" &
strComputer & "$")
objComputer.SetPassword strComputer & "$"
If you operate in Windows 2000 environment, you can follow procedures
described in the Technet article Q216393. In short, it can be done using one of
the following approaches:
- with Windows 2000 version
of NLTEST.EXE (included on the Windows 2000 installation CD in the
Support\Tools\Support.cab file), you can verify secure channel between domain
member and domain controller with its /SC_QUERY option.
- Windows 2000 version of NETDOM.EXE (stored in the same location as NLTEST.EXE) offers the RESET option, which
resets the secure channel when run on either a domain member or domain controller
.
- Active Directory Users and Computers has a context
sensitive option allowing "Reset Account" action.
- You can also use a script written in VBScript (or JScript) with LDAP ADSI provider. Just as before,
the script takes advantage of the fact that the initial computer password is
identical to its account name registered with the primary domain controller
(consisting of the computer name with the "$" suffix):
Dim objComputer
Dim strDomain
Dim strComputer
strDomain = "MyDomain"
strComputer = "MyComputer"
Set objComputer = GetObject("LDAP://cn= "
& strComputer & ",dc = " & strDomain & ",dc = com")
objComputer.SetPassword strComputer & "$"
Another, fairly common problem
relating to computer accounts is the fact that they are difficult to keep track
of. Unlike user accounts, they typically remain in the SAM database of domain
controllers long after their original owners are reinstalled or cease to exist.
Microsoft Knowledge Base article Q197478 describes procedure for detecting and
removing inactive machine accounts using several batch files and NETDOM utility.
The same goal can be accomplished using scripting with ADSI.
The script presented next, first retrieves a collection of all users and computers
accounts registered in the SAM database of a domain controller, then filters out
computer accounts and deletes the ones with the PasswordAge property exceeding
whatever value is deemed acceptable (for example 90 days - this value needs to be
expressed in seconds). One very important factor you need to keep in mind is that
the passwords for domain controllers are not reset on regular basis (so they
are likely to satisfy the deletion criteria). The following script reads their
names from a file (C:\Temp\CDList.txt) and excludes them from the list of machine
accounts to delete from the domain.
Const ForReading = 1
Const
ForWriting =
2 < BR
>
Dim objFSO, objCompFile, objDCFile, objDomain, objComp,
objNTComp
Dim strCompFile, strDCFile
Dim strDomain, strDCList
Dim intSecInADay, intAccountAge
strCompFile =
"C:\Temp\InactivePCs.txt"
strDCFile = "C:\Temp\DCList.txt"
strDomain =
"MyDomain"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set
objCompFile = objFSO.OpenTextFile(strCompFile, ForWriting, TRUE)
Set objDCFile =
objFSO.OpenTextFile(strDCFile, ForReading)
Set objDomain = GetObject("WinNT://" &
strDomain)
objDomain.Filter = Array("Computer")
strDCList =
objDCFile.ReadAll()
intSecInADay = 60 * 60 * 24
intAccountAge = 90
For Each objComp In objDomain
Set objNTComp =
GetObject("WinNT://" & strDomain & "/" & objComp.Name & "$")
If (objNTComp.PasswordAge > intSecInADay *
intAccountAge) Then
If InStr(1,
strDCList, objComp.Name, vbTextCompare) = 0 Then
'Call objDomain.Delete("Computer",
objComp.Name)
objCompFile.Writeline objNTComp.Name & "-- computer account has been
deleted"
End
If
End If
Next
Make sure that you run it first with the call to the Delete method
remmed out (as it appears in this sample script). Take a look at the listing
generated in the file C:\Temp\IntactivePCs.txt. After you find out that the
accounts to be deleted do not include any active machines, you can run the script
again, this time with the the leading quote removed.
