AD objects, attributes, and repercussions

  • Thread starter Thread starter Ben
  • Start date Start date
B

Ben

I'm looking at closing what I beleive to be a security
issue by changing a default value in AD that allows
authenticated users to add (up to) 10 workstations to a
domain.
The ms-ds-MachineAccountQuota attribute of the DC by
default is set 10. I would like to change this value to 0.
Has anyone done this?
Does this change affect any users that by Policy (via
the "add workstations to domain" permission or inherent
rights (such as administrators) already have the ability
to add workstations to a domain?

Thanks!
Ben
 
below-
Ben said:
I'm looking at closing what I beleive to be a security
issue by changing a default value in AD that allows
authenticated users to add (up to) 10 workstations to a
domain.
The ms-ds-MachineAccountQuota attribute of the DC by
default is set 10. I would like to change this value to 0.
Click to expand...
do it :-) This is a safe operation...
Has anyone done this?
Click to expand...
yes. Tested :-)
Does this change affect any users that by Policy (via
the "add workstations to domain" permission or inherent
rights (such as administrators) already have the ability
to add workstations to a domain?
Click to expand...
AFAIK, this doesn't affect users with _delegated_ rights.
This doesn't affect administrators anyhow.

hth,
-a
 
Ben,

Changing this setting will be fine. Anyone belonging to any administrative
groups will not be affected by this change do to the AdminSDHolder
attribute. This attribute will not allow them to be restricted by this
change. The change will affect all other authenticated users. Take a look
at the following knowledge Base article it should be helpful. 251335
Domain Users Cannot Join Workstation or Server to a Domain
http://support.microsoft.com/?id=251335


Please Reply Only to The Newsgroup

Thank You,

LaNae Ford
Support Engineer - MCSE
Directory Service Support
 
Thanks both of you for the replies. I have already read
that article I was looking for experinced users of this
article to validate no ill effects were seen. Always a
good practice when you have to explain something like this
to managers who are not technically savvy :)

Thanks again.
 
well. So, it's interesting to know how (where) AD remembers
the number of computers that a specific user has added to domain. A specific attribute?
Or AD simply searches for the mS-DS-CreatorSID attributes with the user SID?

AFAIK, the AdminSDHolder isn't an attributer, rather a directory object in the System container.
Did I miss something?....

I've just tested again:
if ms-ds-MachineAccountQuota=0, an authenticated user CANNOT add a computer to the domain
BUT!!! (as I wrote earlier, and as I has been told before)
if a user has been delegated the right "Add a computer to the domain",
1) ms-ds-MachineAccountQuota=0 doesn't affect this user, and
2) the mS-DS-CreatorSID attribute of the created computer object doesn't be changed!
Certainly, this user is able to create computer accounts through the delegated scope of containers.

hth,
-a
 
I did this almost 4 years ago now and haven't had a single problem... The testing has been on a forest of 250,000
userids, 150,000 contacts, about 170,000 machines, and 400 or so domain controllers.
 
AdminSDHolder has nothing to do with this. The change isn't to user objects, it is to the domaindns object.
 
Back
Top