Windows Server - Computer Account

Computer account basics

Computers have accounts too

Every member computer in an AD DS domain maintains a computer account with a user name (sAMAccountName) and password, just like a user account does. The computer stores its password in the form of a local security authority (LSA) secret, and changes its password in the domain approximately every 30 days. Each domain‑joined computer has an account in AD DS. Computer accounts are used in the same ways that user accounts are used for users.   Each computer has a Security Identification (SID) and attributes. Also, when you create a domain, a Computers container is created.

NOTE

By now you know that a container is different from an OU. You cannot create an OU within a container, so you cannot subdivide the Computers container. You also cannot link a GPO to a container. So you cannot create security policies for the Computers container. For these reasons, as a best practice, we recommend that instead of using the Computers container, you create custom OUs to host your computer accounts.

How to organize your computer accounts

Organize your computer objects

Most organizations create at least two OUs for computer objects—one for servers (other than domain controllers), and one for clients.  You may want to further divide your server and client OUs into additional OUs. This will allow you to delegate administration and link GPOs at a more granular level.

Organize your servers

For example, under a Server OU you might create an OU for File and Print Servers, an OU for Database Servers, or any number of OUs that categorize the server types in your organization. This allows you delegate management of database servers to the database team or link a GPO for email servers to an OU that only contains email servers.

Organize your clients

For clients, it is common to create Desktop and Laptop OUs. You may go a step further and create OUs for geographical areas. This approach enables each site’s support team to be delegated the rights to create and manage computer objects in the site for client computers, and to join computers to the domain by using those computer objects. You could also start with geographical locations and then subdivide into client types.

NOTE
You can use the redircmp command‑line tool to change the default location for computers. For example, if you want to change the default location for computers to an OU named MyComputers, run the following command.
redircmp “OU=MyComputers,DC=adatum,dc=com” 

Computer naming best practices

It is important to have a strategy for naming your computer accounts

This will make it easier to manage your accounts. Here are some best practices.

Implement a computer naming convention

Implement a naming convention that helps you identify the role and location of a computer. For example,

• Include an abbreviation on the computer’s role. Such as, SVR (servers), CL (clients), FS (file server), PS (print server), and DTP (desktop).
• Include an abbreviation on the computer’s location. Such as, LON (London) and MEL (Melbourne).
• Decide on a delimiter, such as hyphen or underscore.

Use a descriptive name

Use a descriptive computer name that has meaning in your organization. Avoid generic names like Client1 and DC1.

Fill out the Description property

Implement the Description property on your computer accounts. Use the property to provide additional security, site, and administrative information.

Avoid using information that can change

Avoid including information that can change. Such as, a user name or department position.