go to  ForumEasy.com   
LdapPro  
 
 
   Home  |  MyForum  |  FAQ  |  Archive    You are not logged in. [Login] or [Register]  
Forum Home » Kerberos & GSS-API » How to create NTLMv2 computer account?
Email To Friend  |   Set Alert To This Topic Rewarding Points Availabe: 0 (What's this) New Topic  |   Post Reply
Author Topic: How to create NTLMv2 computer account?
authen
member
offline   
 
posts: 36
joined: 08/07/2006
from: San Diego, CA
  posted on: 05/06/2014 10:51:36 PM    Edit  |   Quote  |   Report 
How to create NTLMv2 computer account?
For NTLMv2 to work, a computer account on which you run NTLMv2 service is required for security reason. This is due to the fact that NTLM is a man-in-the-middle authentication service which relies on Domain Controller (DC) to authenticate the incoming client. In order for NTLM to be capable of acting as the middle man to be trusted by client, NTLM should authenticated itself to DC first and thereafter a computer/service account is required since version 2.

  • Open Active Directory Users and Computers console
  • Right click on "CN=Computers" under DC=<domain>
  • Choose 'New' and then click on 'Computer'
  • Follow the wizard to finish.

    Note: If your physical computer belongs to an AD domain, the domain controller should have already generated a computer account which can be found under "CN=Computers, DC=<domain>" in AD. This physical computer account can be used as NTLMv2 service account of course.

    •  Profile | Reply Points Earned: 0
    authen
    member
    offline   
     
    posts: 36
    joined: 08/07/2006
    from: San Diego, CA
      posted on: 05/06/2014 10:54:57 PM    Edit  |   Quote  |   Report 
    How to assign or reset computer account's password?
    For AD2008 or later

  • Click on "Start" and then "Run.."
  • Type "adsiedit.msc" to open ADSI console
  • Browse to your computer account and right click on it
  • Choose "Reset Password..."
  • Follow the wizard to finish.


    For AD2003 or older

    For AD2003 or older, there is no user interface to reset password for computer account. You have to manually run the script as below:

    C:\>cscript SetComputerPass.vbs CN=<servicename>,CN=Computers,DC=<domain>
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Password:<password>
C:\>



    For your reference, here is the code of SetComputerPass.vbs
    Option Explicit

Dim strDn, objPassword, strPassword, objComputer

If WScript.arguments.count <> 1 Then 
      WScript.Echo "Usage: SetComputerPass.vbs <ComputerDN>" 
      WScript.Quit 
End If

strDn = WScript.arguments.item(0)

Set objPassword = CreateObject("ScriptPW.Password") 
WScript.StdOut.Write "Password:" 
strPassword = objPassword.GetPassword() 

Set objComputer = GetObject("LDAP://" & strDn) 
objComputer.SetPassword strPassword

WScript.Quit

    •  Profile | Reply Points Earned: 0
    authen
    member
    offline   
     
    posts: 36
    joined: 08/07/2006
    from: San Diego, CA
      posted on: 05/06/2014 11:10:27 PM    Edit  |   Quote  |   Report 
    How to verify a computer account?
    You can try to bind to Active Directory by using the computer account as:

    Name: <NTDomain>\<account>$
    Password: <password>

    or

    Name: CN=<account>,CN=Computers,CN=<domain>
    Password: <password>

    If the binding is successful, your computer account is good.

     Profile | Reply Points Earned: 0

     
    Powered by ForumEasy © 2003-2005, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.