Announcement

Collapse
No announcement yet.

Restrict who can add/remove computer to domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Restrict who can add/remove computer to domain

    Windows 2000 mixed domain (Win 2k3 servers) what's the simplest way to restrict normal users from adding/removing (I'm adding some policies people don't like) computers from the domain.

  • #2
    Re: Restrict who can add/remove computer to domain

    Hi Cypherbit.

    Check out this post as it should answer your question.
    http://forums.petri.com/showpost.php...78&postcount=2

    Basically, by default all users can join up to 10 computers to the domain. You'll need to change the ms-DS-MachineAccountQuota attribute to 0 in the domain head object. I've used ADSIEdit to do this.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Restrict who can add/remove computer to domain

      Thank you JeremyW.

      What about as far as removing them from the domain. I have quite a few developers that are admins and they're considering just removing their machines from the domain since our password policy and such will be beefed up.

      Is there a way for me to restrict this, apart from a written document, which I'll have a hard time monitoring/controlling?

      Comment


      • #4
        Re: Restrict who can add/remove computer to domain

        Don't give them local admin permissions (probably impossible since they are developers)
        Alternatively a written policy endorsed by management that will do something VERY nasty to them if they do. As for monitoring it, you can search (using DSQuery) for computers which have not logged on in e.g. 1 week
        http://www.windowsnetworking.com/kba...ountsinAD.html
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Restrict who can add/remove computer to domain

          Thank you, I thought as much. Local admins really have too many rights http://blogs.technet.com/markrussino...-settings.aspx

          Comment

          Working...
          X