Managing Computer Account Properties

 < Day Day Up > 



Managing computer accounts from the command line is slightly different from managing them in Active Directory Users And Computers, chiefly because you have more options, especially when it comes to working with multiple computer accounts at the same time.

Viewing and Finding Computer Accounts

As discussed in Chapter 11, “Core Active Directory Services Administration,” you can use the DSQUERY computer command to search for computers. Not only can you search by Active Directory account name, SAM account name, and description, but you can also use wildcards in any of these fields to facilitate matches. The output of DSQUERY computer contains the DN of computers that match the search criteria and can be piped as input to other commands, including DSGET computer, which you can use in turn to display computer account properties.

DSGET computer is best used with DSQUERY computer. Here, you use DSQUERY computer to obtain the DNs for one or more computers and then use DSGET computer to display the properties for the related accounts. Properties you can display are set with the search parameters:

  • Dn Displays the DN of matching computer accounts in the output.

  • Samid Displays the SAM account name of matching computer accounts in the output.

  • Sid Displays the security identifier for matching computer accounts in the output.

  • Desc Displays the description of matching computer accounts in the output.

  • Loc Displays the location attribute of matching computer accounts in the output.

  • Disabled Displays a Yes/No value indicating whether the computer account is disabled.

DSGET computer displays output in table format. Generally speaking, you will always want to use –Dn, –Samid, or –Sid as a parameter to help you make sense of and identify the computers in the output. For example, if you wanted to search for all engineering computers that were disabled, you could use the command line

dsquery computer -name engcomp* | dsget computer -dn -disabled

Here, the results display the DN and the disabled status:

Dn                                           disabled
CN=engcomp18,OU=Eng,DC=cpandl,DC=com yes
CN=engcomp19,OU=Eng,DC=cpandl,DC=com yes
CN=engcomp20,OU=Eng,DC=cpandl,DC=com no
CN=engcomp21,OU=Eng,DC=cpandl,DC=com no
CN=engcomp22,OU=Eng,DC=cpandl,DC=com no
dsget succeeded

You could also display the SAM account name as shown in this example:

dsquery computer -name engcomp* | dsget computer -samid -disabled
samid disabled
ENGCOMP18$ yes
ENGCOMP19$ yes
ENGCOMP20$ no
ENGCOMP21$ no
ENGCOMP22$ no
dsget succeeded

Or the security identifier:

dsquery computer -name engcomp* | dsget computer -sid -disabled
sid disabled
S-1-5-21-4087030303-3274042965-2323426166-1119 yes
S-1-5-21-4087030303-3274042965-2323426166-1120 yes
S-1-5-21-4087030303-3274042965-2323426166-1122 no
S-1-5-21-4087030303-3274042965-2323426166-1123 no
S-1-5-21-4087030303-3274042965-2323426166-1124 no
dsget succeeded

Either way, you have an identifier that makes it easier to differentiate the computer account entries. You can use the second syntax for DSGET computer to obtain the group membership of computers. For example, if you want to see what groups ENGCOMP18 is a member of, you could type the command

dsquery computer -name engcomp18 | dsget computer -memberof

or

dsget computer "CN=engcomp18,OU=Eng,DC=cpandl,DC=com" -memberof

Both commands work the same. In the first example, you use DSQUERY computer to obtain the DN of the computer account. In the second example, you specify the DN directly. Either way, the output would show the group memberships, such as

"CN=Tech,CN=Users,DC=cpandl,DC=com"
"CN=Engineering,OU=Eng,DC=cpandl,DC=com"
"CN=Domain Computers,CN=Users,DC=cpandl,DC=com"

Here, the computer is a member of the Tech, Engineering, and Domain Computers groups.

While this technique could be used to display the membership of multiple computers, there is no way to display a DN or SAM account name for the associated computers. Thus, you get a list of group memberships and the only indicator that the memberships are for different computers are the blank lines separating the responses. For example, if you used the query

dsquery computer -name engcomp* | dsget computer -memberof

the output might look like this:

"CN=Domain Computers,CN=Users,DC=cpandl,DC=com"

"CN=Engineering,OU=Eng,DC=cpandl,DC=com"
"CN=Domain Computers,CN=Users,DC=cpandl,DC=com"

"CN=Domain Computers,CN=Users,DC=cpandl,DC=com"

"CN=Domain Computers,CN=Users,DC=cpandl,DC=com"

"CN=Tech,CN=Users,DC=cpandl,DC=com"
"CN=Engineering,OU=Eng,DC=cpandl,DC=com"
"CN=Domain Computers,CN=Users,DC=cpandl,DC=com"

Here, you have output for five computer accounts (you can tell this because of the blank links separating each group membership listing), but you have no indication to which computer accounts the entries specifically relate.

Real World

Don’t overlook the importance of being able to use DSQUERY computer to document the current computer account configuration. A sample command line for documenting computer accounts follows:

dsquery computer "DC=cpandl,DC=com" | dsget  computer -dn -samid -sid -desc -loc  -disabled > domaincomputers.txt

Here, the command is used to list all the computer accounts in the cpandl.com domain as well as their properties and to save this information to a file.

Setting or Changing a Computer’s Location or Description Attribute

From the command line, it is fast and easy to set or change computer account locations and descriptions using the DSMOD computer command. You can, in fact, set the location or description for 1, 10, 100, or more computers at the same time. Suppose that you want all 500 computers in the Engineering OU to have their description say “Engineering Computer” and their location say “Engineering Dept.” You could do this with a single command line, as follows:

dsquery computer "OU=Engineering,DC=cpandl,DC=com" | dsmod computer
-loc "Engineering Dept." -desc "Engineering Computer"

The DSMOD computer command would then report the individual success or failure of each change:

dsmod succeeded:CN=Engineeringcomp01,OU=Engineering,DC=cpandl,DC=com
dsmod succeeded:CN=Engineeringcomp02,OU=Engineering,DC=cpandl,DC=com
dsmod succeeded:CN=Engineeringcomp03,OU=Engineering,DC=cpandl,DC=com
...
dsmod succeeded:CN=Engineeringcomp499,OU=Engineering,DC=cpandl,DC=com
dsmod succeeded:CN=Engineeringcomp500,OU=Engineering,DC=cpandl,DC=com

Although changing these values in the GUI could take you hours, the entire process from the command takes only a few minutes. You simply type the command line and let DSMOD computer do the work for you.

Disabling and Enabling Computer Accounts

You can enable or disable computer accounts from the command line using the DSMOD computer command and the –Disabled parameter. Type –disabled yes to disable the computer account and type –disabled no to enable the computer account.

In the following example, you disable all computers in the TestLab OU:

dsquery computer "OU=TestLab,DC=cpandl,DC=com" | dsmod computer
-disabled yes

The DSMOD computer command would then report the individual success or failure of each change:

dsmod succeeded:CN=TestLabcomp01,OU=TestLab,DC=cpandl,DC=com
dsmod succeeded:CN=TestLabcomp02,OU=TestLab,DC=cpandl,DC=com
dsmod succeeded:CN=TestLabcomp03,OU=TestLab,DC=cpandl,DC=com

Resetting Locked Computer Accounts

Just like user accounts, computer accounts have passwords. Unlike user accounts, however, computer-account passwords are managed and maintained automatically. Computer accounts use two passwords: a standard password, which by default is changed every 30 days; and a private-key password for establishing secure communications with domain controllers, which is also changed by default every 30 days.

Both passwords must be synchronized. If synchronization of the private-key password and the computer-account password lapses, the computer won’t be allowed to log on to the domain and a domain authentication error message will be logged for the Netlogon service with an event ID of 3210 or 5722. If this happens, the computer-account password is said to be “stale” and you’ll need to reset the account to get the passwords back in sync.

To reset a password that is out of sync, use DSMOD computer and the –Reset parameter. Consider the following example:

dsmod computer "CN=Engineeringcomp01,OU=Engineering,DC=cpandl,DC=com"  -reset

Here, you reset the password for the Engineeringcomp01 computer in the Engineering organization unit of the cpandl.com domain.

You could just as easily reset all computer accounts in the Engineering OU. To do this, you would use DSQUERY computer to obtain a list of all computers in the domain and DSMOD computer to reset their passwords, such as

dsquery computer "OU=Engineering,DC=cpandl,DC=com" | dsmod computer 
-reset

Real World

One way to determine that a computer account has a stale password is to use the DSQUERY computer command with the –Stalepwd parameter. If you are using the default value, 30 days, for computer-account passwords, you would find stale passwords by using a value of -Stalepwd 30. Here is an example:

dsquery computer -stalepwd 30

The resulting output shows a list of computers with passwords older than 30 days, which could mean the passwords are stale or simply that the computers have been inactive.

Moving Computer Accounts

Computer accounts are normally placed in the Computers, Domain Controllers, or customized OU containers. You can move a computer account to a different container or OU within its current domain using DSMOVE. Specify the computer account’s current DN and then use the –Newparent parameter to specify the new location or parent DN of the computer accounts. If you wanted to move the CORPSVR03 computer account from the Tech OU to the Engineering OU, you would specify the computer account’s DN, such as “CN=CORPSVR03,OU=Tech, DC=cpandl,DC=com,” and provide the parent DN for the new location, such as “OU=Engineering,DC=cpandl,DC=com.” The related command would look like this:

dsmove "CN=CORPSVR03,OU=Tech,DC=cpandl,DC=com" -newparent 
"OU=Engineering,DC=cpandl,DC=com"

We could have also obtained the computer account DN using the DSQUERY computer command. To do this, you simply pipe the output of DSQUERY computer to DSMOVE, as shown in this example:

dsquery computer -name "CORPSVR03" | dsmove -newparent 
"OU=Engineering,DC=cpandl,DC=com"

Here, the computer account DN, “CN=CORPSVR03,OU=Tech,DC=cpandl,
DC=com,” is obtained from DSQUERY computer and used as input to DSMOVE. This example works regardless of whether the computer account is for a workstation, member server, or domain controller.

Deleting Computer Accounts

If you no longer need a computer account, you can delete it permanently from Active Directory using the DSRM command. In most cases, you’ll want to delete only a specific computer account, such as Corpserver03. If this is the case, you remove the account by passing DSRM the DN of the computer account, such as

dsrm "CN=corpserver03,OU=Eng,DC=cpandl,DC=com"

By default, DSRM prompts you to confirm the deletion. If you don’t want to see the prompt use the –Noprompt parameter, such as

dsrm "CN=corpserver03,OU=Eng,DC=cpandl,DC=com" -noprompt



 < Day Day Up > 



Microsoft Windows Command-Line Administrator's Pocket Consultant
MicrosoftВ® WindowsВ® Command-Line Administrators Pocket Consultant
ISBN: 0735620385
EAN: 2147483647
Year: 2004
Pages: 114

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net