In this we gonna tackle about Computer account and Groups,
first lets discuss what a secure channel is—it is created when a user logs on to the domain using a username and password after being verified in the domain using the computer’s SID (Security identity), username and password.
There a few reasons for this secure channel to be broken, one of which is not logging in the domain controller for about 30 days, passing the 30 day password reset which the domain does automatically. This password can’t be reset directly unlike user account.
Another thing that could break this is Operating System Reinstall because reinstalling the OS creates a new SID for the Computer which is how Active Directory identifies an account.
The other one is being out of sync with the domain controller for reasons like computer data got corrupted and etc.
Note: Do not disjoin a computer from the Domain, then join it to a workgroup, and then join it again to the Domain right away to fix the broken security channel. This also creates a new SID for the computer and could you to lose group membership.
Here are some things that could fix a secure channel:
- Locate your computer in Acive Directory Users and Computers, right click on Computer Account, choose reset Account and then rejoin it to the domain by joing the computer to a workgroup, and them rejoining it to the domain. Then restart.
- Use the DSMOD command in cmd or powershell, you need to enter DSMOD computer *Active Directory Distinguished Name* -reset. After that, rejoin it agin to the domain. Then restart.
- From the domain controller side, run cmd as an administrator, then execute this command: nltest/server:*Name of the computer you want to reset* /sc_reset:samplehoit (domain controller). The good thing is, there’s no need to restart your computer
- From the local client, run amd as an administrator, enter powershell, then execute this command: Test –ComputerSecureChannel –Repair
Here’s how a secure channel broken error looks like…
Purpose – collect similar user, computer or other group (nesting) accounts (By Dept, Region, Job Description or etc)
Note: Users are part of the Domain Users Security Group by default upon creation, and Computers are part of the Domain Computers Security Group.
Note*: Groups have no relationships to Organizational Units
Types of Groups:
Distribution – Used for communication between group members and the domain controller
Security – Used to assign permissions
Local – For Local Computer rights and resource permissions. May contain Domain local from same domain but not domain controllers, a global or universal from any domain in the forest, and global from a trusted external domain. Used in Local Computers Only!
Domain Local – Domain Rights and User Permissions. May contain Domain Local from same domain, a Global or Universal from any domain in the forest and Global Groups from a trusted external domain. Used in Local Domain Only.
Global – To collect users with similar characteristics like Dept or Role, and for Rights and Resource permissions in the same or trusted forest. May contain other global groups from same domain. Used in any domain in forest or trusted forest.
Universal – Same purpose as local and global, but the membership is listed in the global catalog for accessible lookup. May contain Users, Computers, global groups, or universal groups from any domain in the forest. Used in any domain in the forest.
How to create groups in powershell:
- Run powershell as Adminintrator
- Enter Comman in single line: New –ADGroup –Name hoitUsers –SamAccountName hoitUsers –GroupCategory Secutiry –GroupScope Global –DisplayName hoitUsers –Path “ou=DataEntry,ou=HOIT Users,dc=hoit,dc=com” –Description “hoit Users”
- Press Enter
Note: You may only convert the group to another group if there are no problems with the properties between the group types.
For example, you can’t convert a universal group in one domain to a Global group in another domain.
I hope you learned much today and stay tune for more videos.