Announcement

Collapse
No announcement yet.

Is it possible to join domain without domain admin?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is it possible to join domain without domain admin?

    One day, I noticed there was a notebook which belong to an employee with Windows XP Pro which I feel that I have not joined ithe machine nto Windows 2003 domain. Assume that the user has local admin rights. I am just curious is it possible that for a typical domain user to join a workstation into domain without Domain administator's action? This bother me that the user has been using some sort of hacking tools to do this. One thing that I am quite sure is the Domain adminstrator's password does not reveal to anyone. How to prevent this from happening again?

    By the way, how can I check from logfile or database in domain controller when that suspicious notebook has been joined to the domain?

    Please comment and advice. Thanks.

  • #2
    Re: Is it possible to join domain without domain admin?

    If I recall correctly users can add up to 10 workstations onto a windows 2003 network.

    You would have to sift through event logs on on all your DC's to see which DC the workstation was added through.

    Instead of deleteing the workstation put it in an OU that has no permissions at all. That way when the user attempts to use it he wont have any access anywhere and will eventually come to you for help. If you just delete it chances are they will just re-add it.

    Hope this helps

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Is it possible to join domain without domain admin?

      Huh? AFAIK, no-one without the correct priveleges, such as Domain Admin or Power User can add computers to the domain. Otherwise, think of the security implications that anyone could automatically add themselves to a domain via atravelling laptop, VPN or such!
      TIA

      Steven Teiger [SBS-MVP(2003-2009)]
      http://www.wintra.co.il/
      sigpic
      Im honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

      We dont stop playing because we grow old, we grow old because we stop playing.

      Comment


      • #4
        Re: Is it possible to join domain without domain admin?

        matey is absolutely right. By default, the "Add workstations to Domain" right is granted to "Authenticated Users" - however non Admins can only do it ten times. The Default Domain GPO has to be amended to explicitly state which groups can do it - I usually recommend only "Domain Admins" be given this right.

        http://technet2.microsoft.com/Window....mspx?mfr=true


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Is it possible to join domain without domain admin?

          Any user can by default add up to 10 computers to the domain.
          We defined a GPO to minimize the number of the privileged users that have permission to do so by using the GPO that shows in the attached file. In the specific group there are the Domain Admins and another three support guys.

          Good luck.
          Last edited by sorinso; 9th November 2007, 21:09.

          Sorin Solomon


          In order to succeed, your desire for success should be greater than your fear of failure.
          -

          Comment


          • #6
            Re: Is it possible to join domain without domain admin?

            Originally posted by Stonelaughter View Post
            matey is absolutely right. By default, the "Add workstations to Domain" right is granted to "Authenticated Users" - however non Admins can only do it ten times. The Default Domain GPO has to be amended to explicitly state which groups can do it - I usually recommend only "Domain Admins" be given this right.

            http://technet2.microsoft.com/Window....mspx?mfr=true
            Sorry, I saw Tom's reply only after mine.

            Sorin Solomon


            In order to succeed, your desire for success should be greater than your fear of failure.
            -

            Comment


            • #7
              Re: Is it possible to join domain without domain admin?

              Dear All,

              Any user can join up to 10 computers to the domain. The user does not need administrative privildges to do that. You can change this number "10" computers by default by editting the schema of the active directory.

              Best regards,

              Mostafa Itani
              MCSA-MCSE 2000/2003 Security, A+, CCNA
              Best regards,
              Mostafa Itani

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Is it possible to join domain without domain admin?

                Originally posted by sanvour View Post
                Dear All,

                Any user can join up to 10 computers to the domain. The user does not need administrative privildges to do that. You can change this number "10" computers by default by editting the schema of the active directory.

                Best regards,

                Mostafa Itani
                MCSA-MCSE 2000/2003 Security, A+, CCNA
                Except for the editing bit, I believe that Sorinso and I already said that...???


                Tom
                For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                Anything you say will be misquoted and used against you

                Comment

                Working...
                X