Preparing computer accounts before joining

If joining the domain is restricted to privileged users, or if you know that you will need to specify computerlevel overrides, you can prepare computer accounts in advance for the Linux and UNIX computers you want to add to the domain.

There are several advantages to preparing computer accounts before joining the domain. For example, preparing a computer account enables you to accomplish the following:

  • Specify the user, group, or computer account with permission to join the computer to the domain.

  • Define the organizational structure you want to use for computers in Active Directory.

  • Delegate administrative tasks for managing the computer account.

  • Specify the user or group with permission to manage computer-level overrides for the computer.

By preparing the computer account in advance, you can minimize the changes or configuration steps you might otherwise have to perform after joining the domain. For example, by identifying the account to use when a computer joins the domain you can ensure users can add their own workstations without being assigned any special rights. By selecting the appropriate organizational unit for the computer account ahead of time, you minimize the need to move the computer account after joining the domain.

To prepare a computer account using Access Manager:

  1. Open Access Manager.

  2. Expand Zones and any parent or child zones required to select the zone name to which you want to add the computer account.

  3. Right-click, then click Prepare UNIX Computer.

  4. Select the type of preparation you want to perform, then click Next.

    In most cases, you should select both options to ensure the appropriate user or group has the permissions required to join the domain and set computer-level overrides.

  5. Choose whether to create a new computer object or select an existing computer object, then click Next.

    If the computer account exists, but you want to add a zone profile and delegate permission to join the domain and manage computer overrides for thecomputer, click Browse to search for and select the existing computerobject. After selecting an existing computer account, click Next to continue to Step 7.

  6. Type the computer name to use for the new computer account and specify a location for the computer account object in Active Directory, then clickNext.

    • For Computer name, type the host name to use for the computer account in Active Directory.

    • For Domain. verify the domain name displayed is the appropriate domain for the computer account to join. Click Browse to navigate to a different Active Directory domain.

    • For DNS name, verify the DNS name for the computer account. You can modify the DNS name for the computer, if needed. For example, ifcomputer names in DNS use a different suffix than the Active Directory domain, you might need to modify the default value displayed.

    • Select Create the computer object in the container to specify the parent container for the new computer account in Active Directory. Inmost cases, you should use the default parent container object. ClickChange to navigate to a different container object for the computer account.

  7. Specify the computer account's password. Your choices are:

    • Set a password: You'll need to enter the password twice to confirm it.

    • Use the default password: The agent sets the password automatically.

    Click Next tocontinue.

  8. Select the Allow this computer to join the domain using a read-only domain controller option if you want the computer to join itself to the domain using a read-only domain controller and select the type of license to use, then click Next.

    If you click Next without selecting Allow this computer to join the domain using a read-only domain controller, the computer must join the domain by connecting to a writable domain controller.

  9. Review the default list of service types and service principal names for the specified computer, then click Next to accept the default set of service principal names.

    If you want to make changes to the default services or service principal names, you can do the following:

    • Click Add to add a service type or add a new service name to an existing service type.

    • Select a service principal name and click Edit to change the name.

    • Select a service principal name and click Remove to delete the name.

    • Click Default SPN to restore the default list of service principal names.

      If you are in an environment where multiple instances of the same SPN are possible, as a user with administrator privileges, use the -d or--forceDeleteObjWithDupSpn parameter with the adjoin command to ensure duplicate SPNs are removed.

  10. Select whether to allow a specific user or group to join the computer to the domain or use the computer account and automatically-generate password to join the domain, then click Next.

    In most cases, select Allow the computer to join itself to the zone to allow the computer account to perform a “self-service” join. This option isselected by default because it allows you to automate the join operation so that a user name and password are not required.

    If you want a specific user, group, or computer account to be used to join the domain, select Allow this user, group, or computer to join the computer to the zone then click Browse to search for the user, group, or computer that you want to give permission to join the computer to the domain.

  11. Select the user, group, or computer account with permission to set computer-level overrides, then click Next.

    By default, the permissions required to manage computer-level overrides are granted to members of the Domain Admins group. You can click Browse to search for and select another user, group, or computer account.

  12. You can choose to skip permission delegation, if desired.

    If you select this option, the service does not set the security descriptor for the computer; you'll need to go in and set that attribute yourself. Someorganizations prefer to set security descriptors manually. Securitydescriptors include security information such as the object owner, who has access rights to the object, and so forth.

  13. Review your configuration settings, then click Next.

  14. Review the confirmation of the operation performed, then click Finish.

    The computer account is created in Active Directory and a zone profile for the computer is added to Access Manager in the zone’s Computers container.The user or group you have designated as the trustee can now join thiscomputer to the domain using the adjoin selfserve command line option, andthe group you designated for computerlevel overrides can add users and role assignments to the computer.

Delegating permissions when preparing a computer account

When you prepare a computer account, you have the option to grant a specific user, group, or computer account the administrative permissions required to perform two separate tasks:

  • The permissions required to join the computer account to the domain.

  • The permissions required to set and manage computer-level overrides

In most cases, you should select both options even if you want to grant different accounts the permissions required to perform each task.

However, it is possible to create a computer account and not delegate permission for computer-level overrides by deselecting the Delegate permission for machine overrides option. If you deselect this option, you are the only administrator who can set profile or role assignment overrides for the computer. No other user or group will be granted the permissions required to set or manage computer-level override for user profiles or role assignments.

Likewise, it is possible to delegate permissions for computer-level overrides without preparing the computer to join the domain by deselecting the Prepare computer for adjoin option. If you deselect this option, the computer icon appears in the zone, but the Active Directory computer object and service connection point are not created. The designated trustee can set computer-level override for user profiles or role assignments. No other user, group, or computer account will be specifically granted the permissions required to join the domain.

If any authenticated user can add computers to the domain, then any user with a valid domain account can join Linux and UNIX computers to the domain. If adding computers to a domain requires an administrative account, only the administrator who creates the computer account can join it to Active Directory. For more information about who can add computers to a domain, see Identifying who can add computers to the domain.

Allowing password resets for computer accounts

If you use Access Manager and the Prepare UNIX Computer wizard to create a computer account before joining the domain, you can select the Allow the computer to join itself to the zone option to set the permissions required for a computer to manage its own account. If you use Active Directory Users and Computers to create a computer account, however, you need to manually modify the permissions for the account.

By default, most computer accounts do not have permission to reset their own account password. This prevents the delegation of administrative rights for the computer to the local computer account. If you want to give a computer account administrative rights in a zone, you need to modify the computer account to allow password resets. In addition, allowing a computer account to update its own properties enables Access Manager to display the agent version and maintain operating system information for the computer account.

Checking for the appropriate permissions

To check whether a computer account allows password resets, you can view the permission settings for the account.

To check and modify the permissions for a computer account:

  1. Open Active Directory Users and Computers, expand the domain, and select Computers to find the computer account to which you want to assign administrative rights.

  2. Select the computer account, right click, then select AD Properties.

  3. Click the Security tab, scroll down the list of group or user names and select SELF.

  4. In the list of Permissions for SELF, scroll to the Reset Password permission, click Allow, then click OK.

  5. Select the computer account, right-click and select Reset Account, then click Yes. When the account is reset, click OK.

Assigning administrative rights to computer accounts

After you have checked the Active Directory permissions for a managed computer account and modified them, if necessary, you can assign zone administrative rights to the account through Access Manager.

To give administrative rights to the computer account:

  1. Open the Access Manager console.

  2. In the console tree, select Zones, and if necessary, Child Zones, then select and expand the zone in which you are interested.

  3. Right-click, then click Delegate Zone Control.

  4. Click Add, select Computer from the Find list, then click Find Now.

  5. In the results, select Domain Computers, click OK, then click Next.

  6. Click Join computers to the zone and optionally, Remove computers from the zone, then click Next.

    In most cases, these are the only administrative tasks you should assign to the computer account. You can, however, give the accountadditional rights, if needed. For information about the permissions associated with each delegated task, see thePlanning and Deployment Guide.

  7. Click Finish.