Introduction
As far as Active Directory is concerned, computers are very similar
to users. In fact, computer objects inherit
directly from the user object class, which is used
to represent user accounts. That means computer
objects have all of the attributes of user objects
and then some. Computers need to be represented in Active Directory
for many of the same reasons users do, including the need to access
resources securely, utilize GPOs, and have permissions granted or
restricted on them.
To participate in a domain, computers need a secure channel to a
domain controller. A secure channel is an authenticated connection
that can transmit encrypted data. To set up the secure channel, a
computer has to present a password to a domain controller. The domain
controller then verifies that password against the password stored in
Active Directory with the computer's account.
Without the computer object, and subsequently, the password stored
with it, there would be no way for the domain controller to verify a
computer is what it claims to be.
The Anatomy of a Computer
The default location for computer objects in
a
domain is the cn=Computers container located
directly off the domain root. You can, however, create
computer objects anywhere in a domain. And in
Windows Server 2003, you can modify the default location for
computer objects as described in Recipe 8.12. Table 8-1 contains a list
of some of the interesting attributes that are available on
computer objects.
Table 8-1. Attributes of computer objects|
cn
|
Relative distinguished name of computer objects.
|
dnsHostName
|
Fully qualified DNS name of the computer.
|
lastLogonTimestamp
|
The approximate timestamp of the last time the computer logged in the
domain. This is a new attribute in Windows Server 2003.
|
managedBy
|
The distinguished name (DN) of user or group that manages the
computer.
|
memberOf
|
List of DNs of the groups the computer is a member of.
|
operatingSystem
|
Textual description of the operating system running on the computer.
See Recipe 8.10 for more information.
|
operatingSystemHotFix
|
Currently not being used, but will hopefully be populated at some
point.
|
operatingSystemServicePack
|
Service pack version installed on the computer. See Recipe 8.10 for more information.
|
operatingSystemVersion
|
Numeric version of the operating system installed on the computer.
See Recipe 8.10 for more information.
|
pwdLastSet
|
Large integer that can be translated into the last time the
computer's password was set. See Recipe 8.8 for more information.
|
sAMAccountName
|
NetBIOS-style name of the computer. This is typically the name of the
computer with $ at the end.
|
userAccountControl
|
Account flag that defines various account properties.
|
|