| Author |
Message |
DWalker
Guest
|
 Posted:
Tue Nov 08, 2005 5:50 pm Post subject:
Computer account in domain? |
|
|
In a Windows 2000 server AD domain, when does a user need a "computer" set
up in AD Users and Computers? Most of our (10) users don't have a computer
account; they all have a "user" account, and they all can get to the
shared folders that are set up with ALL permissions for "authenticated
users".
The reason I ask is because two of our users are getting 5513 messages from
netlogon, and the other 8 users are not, and there are no computer
accounts, and this doesn't make sense to me.
Some of the information I have read about trust issues talk about the
"computer account", so I am wondering if "computer account" means the
"computers" that are listed in Active Directory Users and Computers. And I
wonder why a computer account is not always necessary for a user to use the
resources (shared folders and printers) in the domain.
Thanks for any information.
David Walker |
|
| Back to top |
|
 |
JPolicelli
Guest
|
| Posted:
Tue Nov 08, 2005 9:50 pm Post subject:
RE: Computer account in domain? |
|
|
A computer account is only required if a user is logging onto that computer
with an AD account.
"DWalker" wrote:
| Quote: | In a Windows 2000 server AD domain, when does a user need a "computer" set
up in AD Users and Computers? Most of our (10) users don't have a computer
account; they all have a "user" account, and they all can get to the
shared folders that are set up with ALL permissions for "authenticated
users".
The reason I ask is because two of our users are getting 5513 messages from
netlogon, and the other 8 users are not, and there are no computer
accounts, and this doesn't make sense to me.
Some of the information I have read about trust issues talk about the
"computer account", so I am wondering if "computer account" means the
"computers" that are listed in Active Directory Users and Computers. And I
wonder why a computer account is not always necessary for a user to use the
resources (shared folders and printers) in the domain.
Thanks for any information.
David Walker
|
|
|
| Back to top |
|
|
DWalker
Guest
|
| Posted:
Tue Nov 08, 2005 9:50 pm Post subject:
Re: Computer account in domain? |
|
|
"Paul Williams [MVP]" <ptw2001@hotmail.com> wrote in
news:1131476097.454834@ernani.logica.co.uk:
| Quote: | Domain members have computer accounts. So, if your domain users logon
to PCs that are members of the domain those PCs have computer accounts
(their account name is their name with a dollar ($) appended on the
end).
|
There is only one domain controller. Our users -- most of them -- "log
in" to their local computer but they use shared disks that are on the AD
server. There are no computers listed in AD Users and Computers under
the Computers tree. You're saying that they have a computer account
anyway on the AD server, which is their user name followed by $ even
though it's not listed in AD Users and Computers? I'm confused.
| Quote: | Computers can also access resources, as is the case when a
computer applies a GPO - it needs permissions to SYSVOL (which it has
through authenticated users).
|
There are no non-default GPOs set up here, but I know that the default
GPOs are applied anyway.
| Quote: | What problem are you seeing? What is the error description?
|
For two of the 10 users, I'm getting the 5513 event from NETLOGON,
logged at the server. Looking at eventid.net doesn't help.
The event message tells me to "Reestablish the trust relationship".
After searching Google, I tried to use NLTEST /SERVER:<DCComputername>
/SC_RESET:<domainname> from the client computer, and I get:
I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED
Running NLTEST /SC_Query:<domainname> from the client gives
ERROR_NO_LOGON_SERVERS.
Everything seems to be working OK everywhere in our network, except for
those 5513 messages in the server's event log for those two users out of
10.
The users that get the 5513 can access the server's shared folders as
authenticated users, so I wonder why "no_logon_servers" shows up.
Thanks for any info you can give me on this.
David |
|
| Back to top |
|
|
Paul Williams [MVP]
Guest
|
| Posted:
Tue Nov 08, 2005 9:51 pm Post subject:
Re: Computer account in domain? |
|
|
Domain members have computer accounts. So, if your domain users logon to
PCs that are members of the domain those PCs have computer accounts (their
account name is their name with a dollar ($) appended on the end).
Computers can also access resources, as is the case when a computer applies
a GPO - it needs permissions to SYSVOL (which it has through authenticated
users).
What problem are you seeing? What is the error description?
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
Paul Williams [MVP]
Guest
|
| Posted:
Wed Nov 09, 2005 1:50 am Post subject:
Re: Computer account in domain? |
|
|
OK. Are the computers members of the domain or not? You can check this in
several ways. Firstly check the computer - go to rename and see if its in a
workgroup or a domain. Secondly search the domain for computer objects.
The default location for computer objects is CN=Computers. They don't have
to reside there now though. They can reside anywhere in the domain
hierarchy of containers.
The GPO was an example of why a computer account is necessary.
The Secure Channel error means that the password between the computer and
the domain controller is out of sync. This means the computer is a member
of the domain, but is no longer able to 'talk' to the DC(s). Seeing as
you've an access denied, and we're only talking about two computers, the
easiest thing to do is make the computers in question members of a
workgroup. Search for and delete the computer objects and then rejoin the
domain. If you cannot find corresponding computer objects, that will
probably also explain what is going on ;-)
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
DWalker
Guest
|
| Posted:
Wed Nov 09, 2005 5:50 pm Post subject:
Re: Computer account in domain? |
|
|
"Paul Williams [MVP]" <ptw2001@hotmail.com> wrote in
news:#BdfcZL5FHA.2560@TK2MSFTNGP12.phx.gbl:
| Quote: | OK. Are the computers members of the domain or not? You can check
this in several ways. Firstly check the computer - go to rename and
see if its in a workgroup or a domain. Secondly search the domain for
computer objects. The default location for computer objects is
CN=Computers. They don't have to reside there now though. They can
reside anywhere in the domain hierarchy of containers.
The GPO was an example of why a computer account is necessary.
The Secure Channel error means that the password between the computer
and the domain controller is out of sync. This means the computer is
a member of the domain, but is no longer able to 'talk' to the DC(s).
Seeing as you've an access denied, and we're only talking about two
computers, the easiest thing to do is make the computers in question
members of a workgroup. Search for and delete the computer objects
and then rejoin the domain. If you cannot find corresponding computer
objects, that will probably also explain what is going on ;-)
|
If the users are no longer able to "talk" to the DCs, why are they able
to use the shared folders that reside on the DC computer?
When you say "they can reside anywhere in the domain hierarchy of
containers" does that include the "Users" tree? They appear there, but
not in the "Computers" tree.
I'm also unsure why, since none of the other 10 users in the domain have
"computer objects" (if that means an entry under the Computers tree in
A.D. Users and Computers), only these two users are getting this
message. That's what confuses me. Can you help explain that?
But I will check those things. Maybe the two users with the problem are
the only two users who are trying to log in to the domain. I know it
also makes a difference when you sign on whether you say that you want
to sign on to the domain or on to the local computer, even if you're
going to use shared folders that reside on the domain controller anyway.
Thanks.
David Walker |
|
| Back to top |
|
|
Paul Williams [MVP]
Guest
|
| Posted:
Thu Nov 10, 2005 1:51 am Post subject:
Re: Computer account in domain? |
|
|
Shared folders have nothing to do with the computer account really. The
only thing is that without the computer that the user is logged onto being a
domain member, the authentication will work differently.
Let me try and clarify a few things.
You create users in the domain or on a local PC. You add (join) computers
to the domain, or leave as stand alone. If, at the Winlogon screen, you
have a drop down box that allows you to choose either the local computer or
the domain, that computer is a member of the domain. It has been joined to
the domain.
If you logon with a domain account you are authenticated by a DC, and are
then authorised on a per server/ resource basis to access things like shared
folders, etc. This is the benefit of a domain, one user account. Single
sign on if you like.
If you logon to the computer with a local account, you must have an account
created on the computer. This account only exists on this computer. It
cannot allow access to other resources on other systems (you have to create
an account with the same name and password for this).
The computer accounts don't do much from the user's perspective. But they
have to exist for all of this to work. By default they are placed in the
Computers container. However they can be moved anywhere in the domain.
They could well be in the Users container, or an OU, or just as a child of
the domain object itself (same level as Users container). They are
represented by a computer icon, and have the same name as the hostname of
the PC in question.
| Quote: | But I will check those things. Maybe the two users with the problem are
the only two users who are trying to log in to the domain. I know it also
makes a difference when you sign on whether you say that you want to sign
on to the domain or on to the local computer, even if you're going to use
shared folders that reside on the domain controller anyway.
|
It sounds like these are domain members. Regardless as to whether you have
local accounts and domain accounts, or just domain accounts. Either way,
you need to check the secure channel. If in doubt, you should disjoin from
the domain, delete the computer accounts and rejoin the domain. To do this
you make the computer a member of a workgroup and then back to the domain
again. This information is accessible by right-clicking on My Computer,
choosing properties, and computer name.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in