RE: [ActiveDir] Computer Accounts and request for comments on provisioning.

[Joe]

1. I have been really lax on this what with other crap I have been dealing with. However I am about to implement cleanup which will upset people and will remove anything older than 90 days. After 60 days the machines (W2K+) have to be rejoined anyway.   2. No. The network folks are actually locking most people out of direct network access. Most people without a business reason that is really good will get External OWA and that is about it. Anyone who will have dialup or VPN access to the network will need to do it from a company owned laptop.   3. Not sure I understand this one. Server accounts can only be created by the people on the team I am on... 3 people. Workstations can be created by any one of thousands of workstation admins. However they follow our standards or we make their computer accounts unuseable by throwing them into jail.     joe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Tuesday, January 06, 2004 9:02 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Computer Accounts and request for comments on provisioning. Hey everyone… Happy New Year…   I am doing some research to help establish some new standards for provisioning Workstations in our AD domains.  In the past, any Windows NT workstation that was going to need to access domain resources was added to the domain.  This means machines that were on the corporate network, and home machines.  The problem we are having is that home machines are not being maintained as well as the corporate machines, and the home machines don’t connect into the corporate network very frequently.  We are in the process of consolidating several resource domains as well, and we are trying to decide which accounts to move, and which ones not to move.  When we move computer accounts the process requires that the local user profiles get re ACLed, as well as the local file systems.    So the questions I have that I am looking for feed back on are as follows.   1.        On average how long do you allow computer accounts to stay deactivate in your domain, and what issues do you run into when machines are disconnected longer than say the 60 days.  (I think I remember reading somewhere that secure channel passwords get reset every 30 days on machine accounts).  If the passwords are out of sync when the machine try to join the domain again, will they auto renegotiate a new secure channel password even though the password is out of sync or does it always require resetting the secure channel?   2.        Do you allow machines that are primarily home machines connect in as domain resources, or do you use other means to provide remote access to domain resources?  If so what alternative means do you provide remote access to resources?   3.        Finally, do you require machines to go through a provisioning process when the computer account is created and removed from the domain?  If so, how do you manage the process.  In today’s domains, I would think it would be desirable with the need to have certificates issued for EFS, etc.   Thanks in Advance for any feedback you all offer.   Todd