How to securely add a computer to a domain.
When a computer joins an Active Directory domain, a computer account for the machine is created in the Computers container under the domain in Active Directory Users and Computers. Unfortunately this Computers container isn’t an OU so you can’t link a GPO to it to secure the accounts in it. So the result is that when the computer joins the domain it’s not really secured. There are two solutions to this if you’re running Windows Server 2003 on your domain controllers:
- Pre-create the machine’s computer account in an OU that already has a GPO linked to it. You can do this using the dsadd computer ComputerDN command, which can be scripted if you have a lot of computers to join to your domain.
- Use the redircomp.exe command to change the default storage location for new computer accounts from the Computers container to an OU that you specify. There’s also a similar command called redirusr.exe that can do the same for new user accounts you create, that is, create them in a specified OU instead of in the default Users container (which like the Computers container is similarly not an OU can so can’t have policy linked to it).
No comments:
Post a Comment