what is reset account?
in [Active Directory]
|
Prev: repadmin issues
Next: LDAP win2003/SSL
From: Sasi on 5 Jul 2006 12:16 what does that "reset account" action on computer objects do? somebody told me something about computer objects passwords and how they change periodically and so on,but I could not find anything explaining that in details.does a computer has a stored password in AD?does it changes periodically?does it have to do anything with "reset account"?
From: Joe Richards [MVP] on 5 Jul 2006 12:23 Yes computers have passwords, yes they change periodically (every 30 days by default for anything later than Windows 2000, every 7 days for NT). The reset account resets the password to the default password if you need to rejoin a machine to the domain (usually an NT4 machine). joe -- Joe Richards Microsoft MVP Windows Server Directory Services Author of O'Reilly Active Directory Third Edition www.joeware.net ---O'Reilly Active Directory Third Edition now available--- http://www.joeware.net/win/ad3e.htm Sasi wrote: > what does that "reset account" action on computer objects do? > somebody told me something about computer objects passwords and how they > change periodically and so on,but I could not find anything explaining that > in details.does a computer has a stored password in AD?does it changes > periodically?does it have to do anything with "reset account"?
From: Herb Martin on 5 Jul 2006 13:43 Joe Richards [MVP] wrote: > Yes computers have passwords, yes they change periodically (every 30 > days by default for anything later than Windows 2000, every 7 days for > NT). The reset account resets the password to the default password if > you need to rejoin a machine to the domain (usually an NT4 machine). Allow me to clarify that it allows you to reset the computer account (and password) WITHOUT "rejoining" it to the domain. Reset avoids recreating and rejoining a computer account to the domain. While this was possible (but little known*) in NT 4, it was not as critical since NT4 computer accounts are not "1st class objects" -- they cannot be added to Groups, nor given permissions and rights. Win2000+ computer accounts are true security principals and re-creating the account is more serious since it would create a new SID and thus invalidate existing group memberships and any privileges given directly to the computer. *NLTest could reset a computer account but this tool was only in the resource kit, and most people just removed and rejoined NT computers to the domain to effectively reset the account. Technically this was a new account but it wasn't (and isn't) that important for pre-Win2000 computers.
From: Joe Richards [MVP] on 5 Jul 2006 21:26 Well it avoids the rejoin ASSUMING that the user who is doing the reset can force the client to do a password change. If the client isn't talking or the person involved has insufficient access at the client or the client is offline (which I guess is the same as not talking) the reset will only update the following attributes in AD (a password change) dBCSPwd unicodePwd ntPwdHistory pwdLastSet supplementalCredentials lmPwdHistory and it will be up to some other process to sync the workstation with the account once the workstation can talk again (or the proper credentials are involved that will work with the current state of the client machine). As Herb indicated, it was never necessary to delete and recreate. It wasn't critically important and usually still isn't if someone does though. While folks can add computers to groups, the relative insecurity of that still makes it something that isn't generally advised. It is actually possible in an NT4 environment to add computer accounts to groups and ACLs, but I believe the native tools would choke if they tried but could display that just fine. Its use was limited though as Herb mentioned, kerberos didn't exist as a domain auth mechanism to allow the security relationship to be built up for standard Windows security functions across the network; though other third party products could use the membership. There was some product I had to help someone at a large financial company integrate back in around 96 or 97 or so and part of the requirement actually ended up being that we had to add the computer account to a group so I figured out how to do it. joe -- Joe Richards Microsoft MVP Windows Server Directory Services Author of O'Reilly Active Directory Third Edition www.joeware.net ---O'Reilly Active Directory Third Edition now available--- http://www.joeware.net/win/ad3e.htm Herb Martin wrote: > Joe Richards [MVP] wrote: >> Yes computers have passwords, yes they change periodically (every 30 >> days by default for anything later than Windows 2000, every 7 days for >> NT). The reset account resets the password to the default password if >> you need to rejoin a machine to the domain (usually an NT4 machine). > > > Allow me to clarify that it allows you to reset the computer > account (and password) WITHOUT "rejoining" it to the domain. > > Reset avoids recreating and rejoining a computer account to > the domain. > > While this was possible (but little known*) in NT 4, it was > not as critical since NT4 computer accounts are not "1st > class objects" -- they cannot be added to Groups, nor given > permissions and rights. > > Win2000+ computer accounts are true security principals and > re-creating the account is more serious since it would create > a new SID and thus invalidate existing group memberships and > any privileges given directly to the computer. > > > *NLTest could reset a computer account but this tool was only > in the resource kit, and most people just removed and rejoined > NT computers to the domain to effectively reset the account. > Technically this was a new account but it wasn't (and isn't) > that important for pre-Win2000 computers.
From: Herb Martin on 5 Jul 2006 23:32
Joe Richards [MVP] wrote: > Well it avoids the rejoin ASSUMING that the user who is doing the reset > can force the client to do a password change. If the client isn't > talking or the person involved has insufficient access at the client or > the client is offline (which I guess is the same as not talking) the > reset will only update the following attributes in AD (a password change) > > dBCSPwd > unicodePwd > ntPwdHistory > pwdLastSet > supplementalCredentials > lmPwdHistory > > and it will be up to some other process to sync the workstation with the > account once the workstation can talk again (or the proper credentials > are involved that will work with the current state of the client machine). As usual, Joe, you teach me a quite a bit. Thanks (again and again). [Also, I BELIEVE that I have seen one case where resetting the computer account, along with repairing all other DNS problems etc, STILL required a Win2000+ computer to be unjoined and rejoined to the domain even though we TRIED our best to avoid that method.] > As Herb indicated, it was never necessary to delete and recreate. It > wasn't critically important and usually still isn't if someone does > though. While folks can add computers to groups, the relative insecurity > of that still makes it something that isn't generally advised. I would appreciate hearing more about this insecurity because there are certainly cases where adding computers to groups is the only practical choice, e.g., Assigning software to computers where the shares and NTFS files are restricted so that only certain subsets (i.e., Groups) of computers can download that software GP filtering when no better way is available to restrict a GPO to a particular subset (group) of computers. > It is actually possible in an NT4 environment to add computer accounts > to groups and ACLs, but I believe the native tools would choke if they > tried but could display that just fine. Its use was limited though as > Herb mentioned, kerberos didn't exist as a domain auth mechanism to > allow the security relationship to be built up for standard Windows > security functions across the network; though other third party products > could use the membership. There was some product I had to help someone > at a large financial company integrate back in around 96 or 97 or so and > part of the requirement actually ended up being that we had to add the > computer account to a group so I figured out how to do it. > > joe I suspected as much, but had never seen or heard of a way to do it. |