Announcement

Collapse
No announcement yet.

restricting ability to join computers

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • restricting ability to join computers

    Hi all,

    I know in AD, every person with an AD user account can join computers to domain (with the limit of 10 for normal users and d-admins have no restrictions).

    can I disable this ability of users and restrict this to only domain admins group, account operators group members?



    Thanks.

  • #2
    Re: restricting ability to join computers

    You can control this with group policy. Check out the User Rights Assignments section.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: restricting ability to join computers

      you can also try the following:
      every computer that enters the domain is inserted into the "computers" OU in the AD unless you've pre-created a computer account.

      now, i imagine that the normal users in your domain (the ones whose access you want to restrict) don't have the right to create computer accounts in your AD.

      so, all you have to do now, is set DENY permissions to the computers OU in your AD for all the users that you want to restrict.

      just be carfeull with it, since if you give the wrong permissions you might find yourself in a lot of trouble.

      Comment


      • #4
        Re: restricting ability to join computers

        Originally posted by gilivaturi
        every computer that enters the domain is inserted into the "computers" OU in the AD unless you've pre-created a computer account.
        For the record the Computers container is not an OU.

        now, i imagine that the normal users in your domain (the ones whose access you want to restrict) don't have the right to create computer accounts in your AD.
        By default every user can create 10 computer accounts.

        so, all you have to do now, is set DENY permissions to the computers OU in your AD for all the users that you want to restrict.
        Have you tried this? I don't have a computer to test this on right now but I hope to in the next day or two. As it is, it seems users are implicitly denied permissions to create a computer object (account) in the Computer container so I don't know what it will do if you explicitly deny them permissions.

        just be carfeull with it, since if you give the wrong permissions you might find yourself in a lot of trouble.
        I agree
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: restricting ability to join computers

          Originally posted by roguecoolman
          Hi all,

          I know in AD, every person with an AD user account can join computers to domain (with the limit of 10 for normal users and d-admins have no restrictions).

          can I disable this ability of users and restrict this to only domain admins group, account operators group members?
          The default quota is managed by ms-DS-MachineAccountQuota attribute on the domain head object.
          All you need is to set ms-DS-MachineAccountQuota attribute of your domain head (i.e.: dc=domain,dc=com) to 0.
          After that only accounts with explicit permissions to create child objects over OUs/containers will be able to join computers to the domain.
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment

          Working...
          X