Announcement

Collapse
No announcement yet.

Audit who can add computers to the domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Audit who can add computers to the domain

    Hi everyone,
    I just got off a very scary phone call. I had a user in one of my remote offices who had his computer crash on him. He is relatively technical, so he grabbed a spare machine and rebuilt it and then called to ask where to get his Job tracking software install from. My first statement was i need to join your computer to the domain. His response was, oh, no worries, i already did. This user has NO permissions to join this system to the domain. at least he shouldn't. Is there any way to audit who has permissions to add machines to the domain?

    This is really starting to frighten me.

    Any assistance would be greatly appreciated.

    app

  • #2
    Re: Audit who can add computers to the domain

    Have a read here and you will see why this is so and how to fix it.

    One of the MVP's here blogged about this way back, sorry but I can not find that excellent post.
    "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

    Comment


    • #3
      Re: Audit who can add computers to the domain

      the reason why the user was able to add his machine into the domain is b/c the Computer object existed in the domain (attached to his old machine), all was left is attaching his new OS installation to the existing object.
      everyone has permissions attaching machines onto their Existing computer Object as "Lior_S" stated in his replay on the aforementioned link.

      Comment


      • #4
        Re: Audit who can add computers to the domain

        Originally posted by Akila View Post
        the reason why the user was able to add his machine into the domain is b/c the Computer object existed in the domain (attached to his old machine), all was left is attaching his new OS installation to the existing object.
        everyone has permissions attaching machines onto their Existing computer Object as "Lior_S" stated in his replay on the aforementioned link.
        That's highly unlikely as he's rebuilt a spare machine which would have a completely new SID. He probably had enough presence of mind to give it a new name too.

        By default, Domain Users have the right to join the domain TEN TIMES and after that they will continue to get a user name and password prompt. This can be disabled/reduced to zero times in Group Policy.


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Audit who can add computers to the domain

          there is one thing you did not take in consideration, when he rebuild his system he did not delete the computer object therefore he uses the same Computer Object SID after attaching the machine on to it.
          this is the same if you create a Computer object for a new Installed machine prior joining it to the domain, the object has a different SID then the actual Machine, but yet it could be joined without a problem.
          The question , was new the machine had the same name as the old one?

          Comment

          Working...
          X