locked
Difference between "Computer" and "User" objects in Active Directory. Application of the GPO rules to this objects. RRS feed

  • Question

  • I have close to zero experience with Active Directory, so some/all of my questions may sound stupid and obvious for someone more experienced than me. But I have been "awarded" with the right to completely reinstall Active Directory server in my medium-size organization, so I want to have at least some understanding of how things work in AD.

    I couldn't wrap my head around what exactly the "Computer object" in Active Directory is.


    1) Does the "computer object" equals the name that you enter when adding a new PC to the domain?
    What if there is no "computer object" with such a name? Will it be created in the general computers"folder" (is it folder? What is the correct term? It definitely isn't an Organisational unit)? What if a computer with the same name is already has been added in the domain?
    2) What does it mean that any user has the right to add 10 new PC? What if this option is disabled? Only an admin will have the right to add new computers? In this case, will the user be able to add a new computer in the domain if there is already created a "computer object"?

    3) About application of GPO - I have read in the wise articles that there are two distinct scopes to which a GPO rule is applied:
    "Computer configuration" - applied when a computers starts up. After reboot. (Does it applies every 90 minutes?)
    "User Configuration" - applied when the user logs in. Every 90 minutes.

    Are they completely distinct "levels"?
    What if a GPO rule which contains the "Computer Configuration" section is applied to a user? Will all the settings from the "Computer Configuration" sections be completely ignored? Is it always the case? Will they not be applied after 90 minutes have passed since the user has logged in?

    Is the reverse true? Will The GPO rules which contain "User Configuration" applied to a computer be completely ignored?

    What are the right strategies to resolve these issues?
    Do I need to make separate GPO rules for computers and users? What are the other options?

    4) Following my previous question:
    Could someone please explain in layman terms what "loopback" is? Does it combine "Computer configuration" and "User Configuration"? What are the issues that the "loopback" mechanism resolves? Does it bring more complexity to the system? Does it have some weird and unexpected behavior? Should I use it in a relatively simple network?

    Monday, July 27, 2020 5:54 AM

Answers

  • Hi,

    in short:

    1. A computer object is very similar to a user object in that it is a security principal capable of authenticating against AD. If you run a process in SYSTEM context and access other resources within AD, the computer object in AD is the security context that will attempt to access those resources. Since the SAMAccountName of a computer is HOSTNAME$ there cannot be two computers by the same name in one AD domain. An attempt to add another computer by the same name will either be unsuccessfull or cause havoc, depending on the permissions of the user who's doing the adding.
    2. Yes on both counts: If you set the quota to 0, only an admin (or an account this task has been specifically delegated to) will be capable of adding computers to the domain. An admin can, however, pre-create a computer object (thus placing it in the correct OU) so that a user can add a computer by that name to the domain.
    3. You're probably overthinking it here. Computer scope applies to the computer, user scope applies to the user. If you have a policy that only contains computer settings but is only applied to user OUs, it will have no effect. As to whether you need separate GPOs for computers and users, it depends on what you want to have configured. Some settings only exist in a computer context, some only exist in a user context, some exist in both. In the latter case, computer settings *usually* override user settings.
    4. Loopback in layman terms: Applying the User Configuration part of a GPO by scoping that GPO to the computer. Most important use case = terminal servers or VDI or kiosk computers where you require different user settings (browser start page, display background, whatever) depending on what computer the user has logged on to. THIS IS A GLOBAL SETTING from the computer's point of view - if Loopback is set in one GPO that is applied to a certain computer, all GPOs are treated as loopback. In REPLACE mode that means that GPOs scoped to the user are not applied at all. Loopback can add complexity, or it can reduce complexity if used wisely. If in doubt, don't use it.

    Evgenij Smirnov

    http://evgenij.smirnov.de

    Monday, July 27, 2020 2:55 PM

All replies

  • Hi,

    in short:

    1. A computer object is very similar to a user object in that it is a security principal capable of authenticating against AD. If you run a process in SYSTEM context and access other resources within AD, the computer object in AD is the security context that will attempt to access those resources. Since the SAMAccountName of a computer is HOSTNAME$ there cannot be two computers by the same name in one AD domain. An attempt to add another computer by the same name will either be unsuccessfull or cause havoc, depending on the permissions of the user who's doing the adding.
    2. Yes on both counts: If you set the quota to 0, only an admin (or an account this task has been specifically delegated to) will be capable of adding computers to the domain. An admin can, however, pre-create a computer object (thus placing it in the correct OU) so that a user can add a computer by that name to the domain.
    3. You're probably overthinking it here. Computer scope applies to the computer, user scope applies to the user. If you have a policy that only contains computer settings but is only applied to user OUs, it will have no effect. As to whether you need separate GPOs for computers and users, it depends on what you want to have configured. Some settings only exist in a computer context, some only exist in a user context, some exist in both. In the latter case, computer settings *usually* override user settings.
    4. Loopback in layman terms: Applying the User Configuration part of a GPO by scoping that GPO to the computer. Most important use case = terminal servers or VDI or kiosk computers where you require different user settings (browser start page, display background, whatever) depending on what computer the user has logged on to. THIS IS A GLOBAL SETTING from the computer's point of view - if Loopback is set in one GPO that is applied to a certain computer, all GPOs are treated as loopback. In REPLACE mode that means that GPOs scoped to the user are not applied at all. Loopback can add complexity, or it can reduce complexity if used wisely. If in doubt, don't use it.

    Evgenij Smirnov

    http://evgenij.smirnov.de

    Monday, July 27, 2020 2:55 PM
  • Thanks! One more question - when reinstalling PC do I need to delete this "computer object" from the domain? Can I can safely reuse already existing "computer object"? Or should I delete and then create a new "computer object"?
    Wednesday, July 29, 2020 1:15 PM
  • If you're going to use the same name apply "reset account". In this case SID/SPN and group membership will be the same for new PC.   
    Wednesday, July 29, 2020 2:01 PM