RE: [ActiveDir] Computer Accounts and request for comments on pro visioning.

Thu, 08 Jan 2004 14:50:17 -0800

Title: Message
Thanks Guido...
 
I will incorporate the information your provided in your message in my recommendation for a standard. 
 
About Quote 3, I meant to say VPN and Wireless Access for clients.... but it was getting late. 
 
Thanks.
 
Todd
-----Original Message-----
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 08, 2004 2:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Computer Accounts and request for comments on pro visioning.

Hello Todd - a couple of thoughts:
 
0. when you move computer accounts from one domain to another, the local file system or the local user profile do NOT need to be re-ACLed (providing, that the account domain doesn't change) => as the user can continue to use the same user-id he will keep his/her SID (and GUID in AD domains) which determines the local profile to use - permissions will also remain the same (except that a differerent Domain Admin account is added to the local admin group on the client)
 
1. AD by default stores a history for the computer account PW (so it knows the current + the previous PW), so that a 2K/XP workstation can re-join the domain within the 2x30 days period (NT boxes switch secure channel PW every 7 days...) - if you go over this time, you'll have to re-join the domain. However, your remote users can still logon to their clients with their cached credentials (which they likely do all the time anyways), even if the secure channel is broken.
 
2. if machines are really offline for an extensive period of time, there is not really a reason to put them into the domain, as you can provide remote access to resources by authenticating them via their DialUp/VPN connections.  I would even define these as "unmanaged" clients that are not joined to the domain (use a local account for logon) - they can still have a "single logon experience" by leveraging the Credential Manager Capabilities of XP when accessing domain resources over a VPN connection (incl. Outlook). Ofcourse the user will have to enter his Domain Credentials when he accesses a specific resource for the first time - but this is then cached on XP (even works well to change the Domain PW via the Credential Manager)
 
3. you would not require computer account provisioning for the "unmanaged" clients as described above - I believe EFS would still work (as by default the EFS certificate is generated by the resource-owning server using the User-Credentials presented to the server).
 
/Guido

From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 7. Januar 2004 03:02
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Computer Accounts and request for comments on provisioning.

Hey everyone... Happy New Year...

 

I am doing some research to help establish some new standards for provisioning Workstations in our AD domains.  In the past, any Windows NT workstation that was going to need to access domain resources was added to the domain.  This means machines that were on the corporate network, and home machines.  The problem we are having is that home machines are not being maintained as well as the corporate machines, and the home machines don't connect into the corporate network very frequently.  We are in the process of consolidating several resource domains as well, and we are trying to decide which accounts to move, and which ones not to move.  When we move computer accounts the process requires that the local user profiles get re ACLed, as well as the local file systems. 

 

So the questions I have that I am looking for feed back on are as follows.

 

1.        On average how long do you allow computer accounts to stay deactivate in your domain, and what issues do you run into when machines are disconnected longer than say the 60 days.  (I think I remember reading somewhere that secure channel passwords get reset every 30 days on machine accounts).  If the passwords are out of sync when the machine try to join the domain again, will they auto renegotiate a new secure channel password even though the password is out of sync or does it always require resetting the secure channel?

 

2.        Do you allow machines that are primarily home machines connect in as domain resources, or do you use other means to provide remote access to domain resources?  If so what alternative means do you provide remote access to resources?

 

3.        Finally, do you require machines to go through a provisioning process when the computer account is created and removed from the domain?  If so, how do you manage the process.  In today's domains, I would think it would be desirable with the need to have certificates issued for EFS, etc.

 

Thanks in Advance for any feedback you all offer.

 

Todd 

Reply via email to