| < Day Day Up > |
|
Managing computer accounts from the command line is slightly different from managing them in Active Directory Users And Computers, chiefly because you have more options, especially when it comes to working with multiple computer accounts at the same time.
As discussed in Chapter 11, “Core Active Directory Services Administration,” you can use the DSQUERY computer command to search for computers. Not only can you search by Active Directory account name, SAM account name, and description, but you can also use wildcards in any of these fields to facilitate matches. The output of DSQUERY computer contains the DN of computers that match the search criteria and can be piped as input to other commands, including DSGET computer, which you can use in turn to display computer account properties.
DSGET computer is best used with DSQUERY computer. Here, you use DSQUERY computer to obtain the DNs for one or more computers and then use DSGET computer to display the properties for the related accounts. Properties you can display are set with the search parameters:
–Dn Displays the DN of matching computer accounts in the output.
–Samid Displays the SAM account name of matching computer accounts in the output.
–Sid Displays the security identifier for matching computer accounts in the output.
–Desc Displays the description of matching computer accounts in the output.
–Loc Displays the location attribute of matching computer accounts in the output.
–Disabled Displays a Yes/No value indicating whether the computer account is disabled.
DSGET computer displays output in table format. Generally speaking, you will always want to use –Dn, –Samid, or –Sid as a parameter to help you make sense of and identify the computers in the output. For example, if you wanted to search for all engineering computers that were disabled, you could use the command line
dsquery computer -name engcomp* | dsget computer -dn -disabled
Here, the results display the DN and the disabled status:
Dn disabled
CN=engcomp18,OU=Eng,DC=cpandl,DC=com yes
CN=engcomp19,OU=Eng,DC=cpandl,DC=com yes
CN=engcomp20,OU=Eng,DC=cpandl,DC=com no
CN=engcomp21,OU=Eng,DC=cpandl,DC=com no
CN=engcomp22,OU=Eng,DC=cpandl,DC=com no
dsget succeeded
You could also display the SAM account name as shown in this example:
dsquery computer -name engcomp* | dsget computer -samid -disabled
samid disabled
ENGCOMP18$ yes
ENGCOMP19$ yes
ENGCOMP20$ no
ENGCOMP21$ no
ENGCOMP22$ no
dsget succeeded
Or the security identifier:
dsquery computer -name engcomp* | dsget computer -sid -disabled
sid disabled
S-1-5-21-4087030303-3274042965-2323426166-1119 yes
S-1-5-21-4087030303-3274042965-2323426166-1120 yes
S-1-5-21-4087030303-3274042965-2323426166-1122 no
S-1-5-21-4087030303-3274042965-2323426166-1123 no
S-1-5-21-4087030303-3274042965-2323426166-1124 no
dsget succeeded
Either way, you have an identifier that makes it easier to differentiate the computer account entries. You can use the second syntax for DSGET computer to obtain the group membership of computers. For example, if you want to see what groups ENGCOMP18 is a member of, you could type the command
dsquery computer -name engcomp18 | dsget computer -memberof
or
dsget computer "CN=engcomp18,OU=Eng,DC=cpandl,DC=com" -memberof
Both commands work the same. In the first example, you use DSQUERY computer to obtain the DN of the computer account. In the second example, you specify the DN directly. Either way, the output would show the group memberships, such as
"CN=Tech,CN=Users,DC=cpandl,DC=com"
"CN=Engineering,OU=Eng,DC=cpandl,DC=com"
"CN=Domain Computers,CN=Users,DC=cpandl,DC=com"
Here, the computer is a member of the Tech, Engineering, and Domain Computers groups.
While this technique could be used to display the membership of multiple computers, there is no way to display a DN or SAM account name for the associated computers. Thus, you get a list of group memberships and the only indicator that the memberships are for different computers are the blank lines separating the responses. For example, if you used the query
dsquery computer -name engcomp* | dsget computer -memberof
the output might look like this:
"CN=Domain Computers,CN=Users,DC=cpandl,DC=com"
"CN=Engineering,OU=Eng,DC=cpandl,DC=com"
"CN=Domain Computers,CN=Users,DC=cpandl,DC=com"
"CN=Domain Computers,CN=Users,DC=cpandl,DC=com"
"CN=Domain Computers,CN=Users,DC=cpandl,DC=com"
"CN=Tech,CN=Users,DC=cpandl,DC=com"
"CN=Engineering,OU=Eng,DC=cpandl,DC=com"
"CN=Domain Computers,CN=Users,DC=cpandl,DC=com"
Here, you have output for five computer accounts (you can tell this because of the blank links separating each group membership listing), but you have no indication to which computer accounts the entries specifically relate.
Real World | Don’t overlook the importance of being able to use DSQUERY computer to document the current computer account configuration. A sample command line for documenting computer accounts follows: dsquery computer "DC=cpandl,DC=com" | dsget computer -dn -samid -sid -desc -loc -disabled > domaincomputers.txt Here, the command is used to list all the computer accounts in the cpandl.com domain as well as their properties and to save this information to a file. |
From the command line, it is fast and easy to set or change computer account locations and descriptions using the DSMOD computer command. You can, in fact, set the location or description for 1, 10, 100, or more computers at the same time. Suppose that you want all 500 computers in the Engineering OU to have their description say “Engineering Computer” and their location say “Engineering Dept.” You could do this with a single command line, as follows:
dsquery computer "OU=Engineering,DC=cpandl,DC=com" | dsmod computer
-loc "Engineering Dept." -desc "Engineering Computer"
The DSMOD computer command would then report the individual success or failure of each change:
dsmod succeeded:CN=Engineeringcomp01,OU=Engineering,DC=cpandl,DC=com
dsmod succeeded:CN=Engineeringcomp02,OU=Engineering,DC=cpandl,DC=com
dsmod succeeded:CN=Engineeringcomp03,OU=Engineering,DC=cpandl,DC=com
...
dsmod succeeded:CN=Engineeringcomp499,OU=Engineering,DC=cpandl,DC=com
dsmod succeeded:CN=Engineeringcomp500,OU=Engineering,DC=cpandl,DC=com
Although changing these values in the GUI could take you hours, the entire process from the command takes only a few minutes. You simply type the command line and let DSMOD computer do the work for you.
You can enable or disable computer accounts from the command line using the DSMOD computer command and the –Disabled parameter. Type –disabled yes to disable the computer account and type –disabled no to enable the computer account.
In the following example, you disable all computers in the TestLab OU:
dsquery computer "OU=TestLab,DC=cpandl,DC=com" | dsmod computer
-disabled yes
The DSMOD computer command would then report the individual success or failure of each change:
dsmod succeeded:CN=TestLabcomp01,OU=TestLab,DC=cpandl,DC=com
dsmod succeeded:CN=TestLabcomp02,OU=TestLab,DC=cpandl,DC=com
dsmod succeeded:CN=TestLabcomp03,OU=TestLab,DC=cpandl,DC=com
Just like user accounts, computer accounts have passwords. Unlike user accounts, however, computer-account passwords are managed and maintained automatically. Computer accounts use two passwords: a standard password, which by default is changed every 30 days; and a private-key password for establishing secure communications with domain controllers, which is also changed by default every 30 days.
Both passwords must be synchronized. If synchronization of the private-key password and the computer-account password lapses, the computer won’t be allowed to log on to the domain and a domain authentication error message will be logged for the Netlogon service with an event ID of 3210 or 5722. If this happens, the computer-account password is said to be “stale” and you’ll need to reset the account to get the passwords back in sync.
To reset a password that is out of sync, use DSMOD computer and the –Reset parameter. Consider the following example:
dsmod computer "CN=Engineeringcomp01,OU=Engineering,DC=cpandl,DC=com" -reset
Here, you reset the password for the Engineeringcomp01 computer in the Engineering organization unit of the cpandl.com domain.
You could just as easily reset all computer accounts in the Engineering OU. To do this, you would use DSQUERY computer to obtain a list of all computers in the domain and DSMOD computer to reset their passwords, such as
dsquery computer "OU=Engineering,DC=cpandl,DC=com" | dsmod computer
-reset
Real World | One way to determine that a computer account has a stale password is to use the DSQUERY computer command with the –Stalepwd parameter. If you are using the default value, 30 days, for computer-account passwords, you would find stale passwords by using a value of -Stalepwd 30. Here is an example: dsquery computer -stalepwd 30 The resulting output shows a list of computers with passwords older than 30 days, which could mean the passwords are stale or simply that the computers have been inactive. |
Computer accounts are normally placed in the Computers, Domain Controllers, or customized OU containers. You can move a computer account to a different container or OU within its current domain using DSMOVE. Specify the computer account’s current DN and then use the –Newparent parameter to specify the new location or parent DN of the computer accounts. If you wanted to move the CORPSVR03 computer account from the Tech OU to the Engineering OU, you would specify the computer account’s DN, such as “CN=CORPSVR03,OU=Tech, DC=cpandl,DC=com,” and provide the parent DN for the new location, such as “OU=Engineering,DC=cpandl,DC=com.” The related command would look like this:
dsmove "CN=CORPSVR03,OU=Tech,DC=cpandl,DC=com" -newparent
"OU=Engineering,DC=cpandl,DC=com"
We could have also obtained the computer account DN using the DSQUERY computer command. To do this, you simply pipe the output of DSQUERY computer to DSMOVE, as shown in this example:
dsquery computer -name "CORPSVR03" | dsmove -newparent
"OU=Engineering,DC=cpandl,DC=com"
Here, the computer account DN, “CN=CORPSVR03,OU=Tech,DC=cpandl,
DC=com,” is obtained from DSQUERY computer and used as input to DSMOVE. This example works regardless of whether the computer account is for a workstation, member server, or domain controller.
If you no longer need a computer account, you can delete it permanently from Active Directory using the DSRM command. In most cases, you’ll want to delete only a specific computer account, such as Corpserver03. If this is the case, you remove the account by passing DSRM the DN of the computer account, such as
dsrm "CN=corpserver03,OU=Eng,DC=cpandl,DC=com"
By default, DSRM prompts you to confirm the deletion. If you don’t want to see the prompt use the –Noprompt parameter, such as
dsrm "CN=corpserver03,OU=Eng,DC=cpandl,DC=com" -noprompt
| < Day Day Up > |
|