Information Technology Reference
In-Depth Information
Users group to the DACL because the local Users group has the Domain Users group as a
member by default. Click
Cancel
.
14. Click the
Locations
button. Click the name of your computer, and then click
OK
to have
Windows look in the local SAM database for objects. Click
Check Names
. Windows adds
computer name
\ in front of the Users name you entered in Step 13. Click
OK
three times.
15. Click
Start
, point to
Administrative Tools
, and click
Computer Management
. Double-click
Local Users and Groups,
and then click
Groups
. (If Administrative Tools isn't on your Start
menu, add it as follows: Right-click
Start
and click
Properties
. Click the
Customize
button.
Scroll down the list box to System Administrative Tools, click
Display on the All Programs
menu and the Start menu
, and then click
OK
twice.)
16. Click the
Users
group, and open its Properties dialog box to view its membership. Notice
that Domain Users is one of the members. When a computer joins a domain, the local Users
group gains the Domain Users group as a member, and the local Administrators group gains
the Domain Admins group as a member. Click
Cancel
.
17. Close all open windows, and log off the Vista computer.
Computer accounts are created in Active Directory when a workstation becomes a member of
the domain. Like a user account, a computer account is a security principal with an SID and a
password and must authenticate to the domain. Unlike a user account, an administrator can't
manage a computer account's password, which each computer changes automatically every 30 days.
Only computers running Windows NT or later can have a computer account in the domain;
Windows 9x computers can't have an account.
Don't confuse having a computer account with a user's ability to access domain resources.
A user can log on to a workgroup computer with any Windows version installed and still access
domain resources. For example, if users log on to a Windows Vista computer that isn't a domain
member, they can access domain resources in the usual way, by using the UNC path. However,
they must log on to each domain resource they want to access in the format
domain
\
username
.
Just the same, having users log on to computers that are domain members has these advantages:
•
Single sign-on
—Users who log on from domain member computers have access to any per-
mitted resources throughout the forest without needing to authenticate again.
•
Active Directory search
—Users of domain member computers can search Active Directory
for objects and resources throughout the forest.
•
Group policies
—Administrators can manage aspects of member computers by using group
policies, including security settings and use restrictions.
•
Remote management
—Administrators can right-click a computer object and choose
Manage to run the Computer Management MMC for member computers.
Generally, computer accounts are created when a computer joins the domain. In Activity 5-5, you
joined a Vista computer to the domain. When a computer account is created in this way, the
account is placed in the Computers folder by default. This behavior also applies to member servers.
To gain the full benefit of computer accounts, move them to an OU you have created because the
Computers folder can't have a group policy linked to it. Furthermore, because you usually require
different policies for servers and user workstations, you can move computer accounts for servers
and workstations to separate OUs and link different group policies to these OUs.
You can use the Redircmp command-line program to specify a different
default location for computer accounts created when a computer joins
the domain.
Search WWH ::
Custom Search