Managing Active Directory objects
Once you have created user and computer objects, you can manage them and modify them in many of the same ways by which you created them.
Double-clicking any object in the Active Directory Administrative Center or the Active Directory Users And Computers console opens the Properties sheet for that object. The windows appear different, but they contain the same information and provide the same ability to alter the object attributes.
Managing multiple users
When managing domain user accounts, there are likely to be times when you have to make the same changes to multiple user objects, and modifying each one individually would be a tedious chore.
In these instances, it is possible to modify the properties of multiple user accounts simultaneously by using the Active Directory Administrative Center or the Active Directory Users And Computers console. You just select several user objects by holding down the Ctrl key as you click each user and then select Properties. A Properties sheet opens, containing the attributes you can manage for the selected objects simultaneously.
Joining computers to a domain
The process of joining a computer to a domain must occur from the computer itself and be performed by a member of the computer's local Administrators group. After logging on, you join a computer running Windows Server 2012 R2 to a domain from the Computer Name tab in the System Properties sheet. You can access the System Properties sheet from Server Manager, by clicking the Computer name or domain hyperlink on the server's Properties tile, from the Control Panel.
On a computer that is not joined to a domain, the Computer Name tab displays the name assigned to the computer during the operating system installation and the name of the workgroup to which the system currently belongs (which is WORKGROUP, by default). To join the computer to the domain, click Change to display the Computer Name/Domain Changes dialog box shown.
In this dialog box, the Computer Name field enables you to change the name assigned to the computer during installation. Depending on whether you have already created a computer object, observe the following precautions:
- To join a domain in which you have already created a computer object for the system in AD DS, the name on this field must match the name of the object exactly.
- If you intend to create a computer object during the joining process, the name in this field must not already exist in the domain.
When you select the Domain option and enter the name of the domain the computer will join, the computer establishes contact with a domain controller for the domain and a second Computer Name Changes dialog box opens, prompting you for the name and password of a domain user account with permission to join the computer to the domain.
Once you have authenticated with the domain controller, the computer is welcomed to the domain and you are instructed to restart the computer.
JOINING A DOMAIN BY USING NETDOM.EXE
It is also possible to use the Netdom.exe command-line utility to join a computer to a domain. The syntax for the command is as follows:
netdom join <computername> /Domain:<DomainName> [/UserD:<User> /PasswordD:<UserPassword>] [/OU:OUDN]
CREATING COMPUTER OBJECTS WHILE JOINING
You can join a computer to a domain whether or not you have already created a computer object for it. Once the computer authenticates to the domain controller, the domain controller scans the Active Directory database for a computer object with the same name as the computer. If it does not find a matching object, the domain controller creates one in the default container (usually the Computers container), using the name supplied by the computer.
For the computer object to be created automatically in this manner, one would expect that the user account you specify when connecting to the domain controller must have object creation privileges for the Computers container, such as membership in the Administrators group. However, this is not always the case.
Domain users can also create computer objects through an interesting, indirect process. The Default Domain Controllers Policy Group Policy object (GPO) grants a user right called Add Workstations To The Domain to the Authenticated Users special identity. This means that any user who is successfully authenticated to Active Directory is permitted to join up to 10 workstations to the domain and create 10 associated computer objects, even if the user does not possess explicit object creation permissions.
Note:
User rights are Group Policy settings that provide users with the ability to perform certain system-related tasks. For example, logging on locally to a domain controller requires that a user either have the Log On Locally right assigned to his or her account or be a member of the Account Operators, Administrators, Backup Operators, Print Operators, or Server Operators group on the domain controller. Other similar settings included in this collection are related to user rights associated with system shutdown, taking ownership privileges of files or objects and synchronizing directory service data.
JOINING A DOMAIN WHILE OFFLINE
It is typical for administrators to join computers to domains while the computers are connected to the network and have access to a domain controller. However, there are situations in which administrators might want to set up computers without access to a domain controller, such as a new branch office installation. In these cases, it is possible to perform an offline domain join by using a command-line program called Djoin.exe.
The offline domain join procedure requires you to run the Djoin.exe program twice, first on a computer with access to a domain controller and then on the computer to be joined. When connected to the domain controller, the program gathers computer account metadata for the system to be joined and saves it to a file. The syntax for this phase of the process is as follows:
djoin /provision /domain <domain name></code> /machine <computer name> /savefile <filename.txt>
You then transport the metadata file to the computer to be joined and run Djoin.exe again, specifying the name of the file. The program saves the metadata from the file to the computer, so that the next time it has access to a domain controller, the system is automatically joined to the domain. The syntax for the second phase of the process is as follows:
djoin /requestODJ /loadfile <filename.txt> /windowspath %SystemRoot% /localos
Managing disabled accounts
Disabling a user account prevents anyone from using it to log on to the domain until an administrator with the appropriate permissions enables it again. You can disable user accounts manually, to prevent their use while preserving all their attributes, but it is also possible for a domain controller to automatically disable them. For example, repeated violations of password policy settings can disable an account to prevent intruders from making further attack attempts.
To disable or enable a user or computer account in Active Directory Administrative Center or Active Directory Users And Computers, just right-click the object and select Disable or Enable from the shortcut menu. You can also disable and enable multiple accounts by selecting multiple objects and right-clicking.
To disable or enable a user or computer account by using Windows PowerShell, use the following cmdlet syntax:
Disable-ADAccount -Identity <account name> Enable-ADAccount -Identity <account name>
