Surface Hub and Active Directory Best Practices: Removing Inactive Computer Objects

You have the option on how to administer the Surface Hub. This choice is made during the initial out of box experience setup. If you select the Active Directory User or Group option, a computer object for the Surface Hub will be created on your active directory. It is critical that the computer object is not removed or you will end up in a situation where it is impossible to authenticate as an administrator on the Surface Hub.

Many Active Directory environments run cleanup scripts to remove unused computer objects. These scripts can potentially remove the computer object for an active Surface Hub if they are not designed with the Hub in mind. It is common in some AD environments to use the last login timestamp to determine if a computer object is active or not. The Surface Hub does not require authentication for users, so this timestamp is only set when an admin authenticates to settings. This is not something that is required in the day to day usage of the Surface Hub, so it may not occur very frequently or at all. If this is the only value used to check for inactive computer objects, then computer objects will be removed for active used Surface Hubs. https://adsecurity.org/?p=280 provides some additional details into how AD treats computer objects and has some example cleanup scripts. One option to avoid deleting Hub objects is to add an operating system filter to exclude Hubs. Something like (OperatingSystem -notlike “*Team*”) would work. The Surface Hub OS is “Microsoft Windows 10 Team”. The Surface Hub does conform to the standard Windows protocol of updating the computer object password every 30 days. If you are using passwordLastSet as in the linked example, there should be no issue with Surface Hub computer objects. The problem will only occur if the cleanup script relies on last login timestamp only.

Some additional troubleshooting suggestions:

If you are unsure why computer objects are being deleted, you can remove the “delete” permission for the Surface Hub machine accounts in AD for all users and groups except SYSTEM.  Then enable auditing which will show where the delete attempts are coming from.

The computer object password is updated via the Netlogon process on the Surface Hub. If you export the Surface Hub logs to a USB drive you can unzip the file and verify this process. In the WindowsEventLog folder, open system.evtx, and filter for Netlogon events. You should see the event:

“The system successfully changed its password on the domain controller DC.  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password.”