digital8
Second Lieutenant
Joined: 29 Sep 2005
Posts: 1002
|
 Posted: Sat Oct 01, 2005 7:45 am Post subject: Joining a Domain Securely |
 |
|
How to securely add a computer to a domain.
When a computer joins an Active Directory domain, a computer account for the machine is created in the Computers container under the domain in Active Directory Users and Computers. Unfortunately this Computers container isn’t an OU so you can’t link a GPO to it to secure the accounts in it. So the result is that when the computer joins the domain it’s not really secured. There are two solutions to this if you’re running Windows Server 2003 on your domain controllers:
Pre-create the machine’s computer account in an OU that already has a GPO linked to it. You can do this using the dsadd computer ComputerDN command, which can be scripted if you have a lot of computers to join to your domain.
Use the redircomp.exe command to change the default storage location for new computer accounts from the Computers container to an OU that you specify. There’s also a similar command called redirusr.exe that can do the same for new user accounts you create, that is, create them in a specified OU instead of in the default Users container (which like the Computers container is similarly not an OU can so can’t have policy linked to it). |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
