Announcement

Collapse
No announcement yet.

User Account is able to join computers to the domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User Account is able to join computers to the domain

    Looking for assistance in finding out how a user account is able to join computers to the domain.

    I've checked the security tab on the Computers OU and checked the effective perms of the acct which doesn't show the create computer objects.

    I checked to see if the perms were being inherited from the top, still nothing.

    I checked group membership which the account is only a member of the domain users group.

    Any idea how I can find how where this task has been delegated from? I inherited an existing domain and have already had to fix numerous perm issues.

    Any suggestions or help is greatly appreciated.

    B

  • #2
    Re: User Account is able to join computers to the domain

    By default any authenticated user has a right to join up to 10 computers to a domain. This is enfoced not via ACL, but rather via User Right in conjunction with ms-DS-MachineAccountQuota attribute on the head of the domain object (take a look with adsiedit or any other LDAP editor).

    More details on this and how to change the default behavior can be found here:
    http://support.microsoft.com/default.../251335/EN-US/

    If you want to revoke this right from authenticated users, just set ms-DS-MachineAccountQuota attribute to 0 (see method 3 at the link above)
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment

    Working...
    X