Announcement

Collapse
No announcement yet.

Domain users are able to join computers to a domain???

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain users are able to join computers to a domain???

    I was under the impression that domain users CANNOT by default join computers to a domain, I realize you can assing them the create or delete objects rights in AD (like on a computer container), but this isn't the case and yet they can still join a domain..

    any ideas?

    I'm searching the issue all over and it seems that some suggest 2003 allows "certain number" of AD records to be added per each authenticated users, lets say 10 , so any regular domain user could add 10 computers before he's stopped ? If that's true, where do I Find that setting?


    Thanks in advance for any help you can give me.

  • #2
    Re: Domain users are able to join computers to a domain???

    Both Windows Server 2003 and Windows 2000, by default, allow basic users to add computers to the Domain TEN TIMES. The new computer accounts go into the "Computers" container within AD.

    There are a couple of ways to lock this down. **goes hunting**


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Domain users are able to join computers to a domain???

      OK, it's in the "Default Domain Controllers" GPO - the "Add workstations to Domain" right is granted to "Authenticated Users".

      Remove "Authenticated Users" and add (I would suggest) "Account Operators", "Domain Admins" and "Server Operators".

      Any others are entirely up to you.


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: Domain users are able to join computers to a domain???

        See GuyT's post http://forums.petri.com/showthread.php?t=9318&goto#5

        You can use ADSIedit to change the setting
        Click image for larger version

Name:	joindomain.jpg
Views:	1
Size:	55.2 KB
ID:	462893
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Domain users are able to join computers to a domain???

          Originally posted by Stonelaughter View Post
          OK, it's in the "Default Domain Controllers" GPO - the "Add workstations to Domain" right is granted to "Authenticated Users".

          Remove "Authenticated Users" and add (I would suggest) "Account Operators", "Domain Admins" and "Server Operators".

          Any others are entirely up to you.
          We should distinguish the difference between Add worstations to Domain right and Create Computer Objects permission.

          For the Add workstations to domain setting to take effect, it must be assigned to the user in a GPO that is applied to all of the domain controllers for the domain. A user who is assigned this right can add up to 10 workstations to the domain. Users who are assigned the Create Computer Objects permission for an OU or the Computers container in Active Directory can also join a computer to a domain and add an unlimited number of computers to the domain, regardless of whether they have been assigned the Add workstations to domain user right or not.
          From http://www.microsoft.com/technet/sec...h02.mspx#E3OAC
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: Domain users are able to join computers to a domain???

            wow, thanks for quick replies and thanks for clear explanation.

            off I go to turn this thing off for regular domain users.

            I can't believe microsoft defaults this to 10... seems little ridiculous.

            Comment


            • #7
              Re: Domain users are able to join computers to a domain???

              Another satisfied customer.
              Glad to help.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment

              Working...
              X