Chapter 8. Computer Objects
As far as Active Directory is concerned, computers are very similar
to users. In fact,
inherit directly from the
class, which is used to represent user accounts. This means that
computer objects possess all of the attributes
user objects and then some.
Computers need to be represented in Active Directory for many of the same
reasons users do, including the need to access resources securely, utilize
GPOs, and have permissions assigned to them.
To participate in a domain, computers need a secure
channel to a domain controller. A secure channel is an
authenticated connection that can transmit encrypted data. To set up the
secure channel, a computer must present a password to a domain controller.
Similar to the way in which it authenticates a user account, Active
Directory will use Kerberos authentication to verify the identity of a
computer account. Without the
object and, by association, the password stored with it that the operating
system changes behind the scenes on a regular basis, there would be no way
for the domain controller to verify a computer is what it claims to
The Anatomy of a Computer
The default location for
computer objects in a domain is the
cn=Computers container located directly off
the domain root. You can, however, create
computer objects anywhere in a domain. You can
also modify the default location for
computer objects as described in Modifying the Attributes of a computer Object ...
Get Active Directory Cookbook, 4th Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.