Chapter 12: Managing Computer Accounts and Domain Controllers

The focus of this chapter is on managing domain computer accounts, which control access to the network and its resources. Like user accounts, domain computer accounts have attributes that you can manage, including names and group memberships. You can add computer accounts to any container or OU in the Active Directory directory service. However, the best containers to use are Computers, Domain Controllers, and any OUs that you’ve created. The standard Microsoft Windows tool for working with computer accounts is Active Directory Users And Computers. At the command line, you have many commands; each with a specific use. Whether you are logged on to a Windows XP Professional or Windows Server 2003 system, you can use the techniques discussed in this chapter to manage computer accounts and domain controllers.

Overview of Managing Computer Accounts from the Command Line

Two sets of command-line utilities are available for managing domain computer accounts. The first set can be used with any type of computer account, including workstations, member servers, and domain controllers. The second set of commands is used only with domain controllers and designed to help you manage their additional features and properties.

In addition to DSQUERY computer discussed in the previous chapter, the general computer account commands include

• DSADD computer Creates a computer account in Active Directory.

  dsadd computer ComputerDN [-samid SAMName] [-desc Description] 
  [-loc Location] [- memberof GroupDN ...] [{-s Server | -d  Domain}] [-u UserName] [-p {Password | *}] [-q] [{-uc | -uco |
  -uci}]  

• DSGET computer Displays the properties of a computer account using one of two syntaxes. The syntax for viewing the properties of multiple computers is

  dsget computer ComputerDN ... [-dn] [-samid] [-sid] [-desc] [-loc] 
  [-disabled] [{-s Server | -d Domain}] [-u UserName] [-p {Password 
  | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}] [-part PartitionDN 
  [-qlimit] [-qused]]

  The syntax for viewing the membership information of a single computer is

  dsget computer ComputerDN [-memberof [-expand]] [{-s Server | -d  Domain}] [-u UserName] [-p {Password | *}] [-c] [-q] [-l] [{-uc 
  | -uco | -uci}] 

• DSMOD computer Modifies attributes of one or more computer accounts in the directory.

  dsmod computer ComputerDN ... [-desc Description] [-loc Location] 
  [-disabled {yes | no}] [- reset] [{-s Server | -d Domain}] [-u  UserName] [-p {Password | *}] [-c] [-q] [{-uc | -uco | - uci}] 

In addition to DSQUERY server, discussed in the previous chapter, the utilities for managing the additional features of domain controllers include

• DSGET server Displays the various properties of domain controllers using one of three syntaxes. The syntax for displaying the general properties of a specified domain controller is

  dsget server ServerDN ... [-dn] [-desc] [-dnsname] [-site] [-isgc] 
  [{-s Server | -d Domain}] [-u UserName] [-p {Password | *}] [-c] 
  [-q] [-l] [{-uc | -uco | -uci}] 

  The syntax for displaying a list of the security principals who own the largest number of directory objects on the specified domain controller is

  dsget server ServerDN ... [{-s Server | -d Domain}] [-u User Name] [-p {Password | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}] 
  [-topobjowner NumbertoDisplay] 

  The syntax for displaying the DNs of the directory partitions on the specified server is

  dsget server ServerDN ... [{-s Server | -d Domain}] [-u User Name] [-p {Password | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}] 
  [-part]

• DSMOD serverModifies properties of a domain controller.

  dsmod server ServerDN ... [-desc Description] [-isgc {yes | no}] 
  [{-s Server | -d Domain}] [- u UserName] [-p {Password | *}] [-c] 
  [-q] [{-uc | -uco | -uci}]