What are Machine Accounts for?

[thatguy]

Hey there folks--

I've recently taken to learning Win2k server.. I'm reading through Mastering Win2k Server (terrific book!), Teach Yourself Win2k Server in 21 days (not great), and a bunch of articles in MS's support site, but I can't find any real info on why machine accounts exist. What's the purpose?

From what I can gather, when a user logs into a domain, if the machine object doesn't already exist, it's created in the AD. If that's true, then will all workstations have a record, or just Win2k and later machines (not Win95/98/etc)? Is its purpose so you can move the object into an OU and assign a group policy to it? Is it just for inventory tracking? Or another thought is for use in trust relationships between domains, but.. ??

Any insight would be greatly appreciated.

Thanks
-- michael~

 

[SJZero]

I'm not familiar with Active Directory, but I think I know the answer to your question from my days as an NT4 admin. The machine accounts are there to ensure unauthorized machines don't gain access to the network, or at least that's what they were for in NT4 domains. Back then, in order to be part of a domain, you needed to give a network administrator password so it could authenticate itself with the PDC, which helped make sure insecure outside systems couldn't join the domain. Perhaps it does the same thing in AD?

 

[dietergw]

A few things.

When joining a machine to a domain a computer account is created in AD for the machine. Without this account being created the machine will not be able to access the network. It also serves as a means of auditing activity on the network. Out of the pre windows 2000 OS's only NT 4 computers get accounts created in active directory. Win95/98 can log onto W2K domain using a special AD client. Computer accounts sit in their own container within AD but you can move them into your own OUs that you may have created. GPOs can then be applied to the containers.

"Extreme situations demand extreme responses."

 

[thatguy]

Thanks for the replies.

dietergw -- Is the Win95/98 client just the normal Client for Microsoft Networks in Net Props or is there some other "special AD client?" And what security do machine accounts really provide? If the account is created whenever a user logs in (on a machine without an account), then any computer could log in and an account would be created for their machine, right? Or is the subnet involved -- a machine account is created only for machines on the subnets (sites) in the domain?

If you could offer more info, I'd appreciate it, otherwise, is there a detailed explanation of the machine account somewhere? A good book that I don't have yet or one of MS's tech articles I haven't been able to find?

Thanks
-- michael~

 

[dralip]

The security aspect of machine accounts is -
When connecting the workstation (XP/W2K) to the domain you're prompted for a username and password, only users authorised to join a computer to the domain can do this. There's then some sort of trust relationship between the workstation and the server using SIDs I think (not sure). If the trust is broken (eg reconfigure the domain) you have to rejoin the domain. If you look at your security audits you'll see lots of machine account Kerberos ticket authentication. You can control who can add a workstation to a domain in Domain Controller Security Policy.

 

[wbg34]

The creation of Machine accounts also gives you the ability to create and administer policies particular to that Machine. Because they are AD objects you can assign them to groups and OU's and apply policies to those objects. This can be very handy for times when you need to set restrictions & permissions because of a location rather then the user (i.e. School Labs).