Add a computer to the domain

[Jaz]

I just learned that one of our uses was allowed to add a computer to the
domain even though they are not an administrator. How can prevent this from
happening? I'm not sure what changed but I don't think they were able to do
this before.

Any ideas?

Thanks,
Jasper

 

[Paul Bergson [MVP-DS]]

By default all users have the ability to add up to 10 computers to the
domain.

I can't find the exact KB article but the one below covers this info
indirectly.
http://support.microsoft.com/kb/251335/en-us

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jaz]

Do you know of any specific way of denying users from adding computers to
the domain?

I tried to deny access to "create computer objects" and "delete computer
objects" but that did not work.

Any ideas?
Thanks,
Jasper

 

[Per-Torben Sørensen]

Perhaps this one?

computer config - windows settings - Local policies - User rights
assignement - Add workstations to the domain

Regards
Per-Torben Sørensen

 

[Paul Bergson [MVP-DS]]

You can modify the settings via adsiedit, but Per-Torben's method should
work at the domain level. Just be careful how you apply the gpo so as not
to impact users who should be able to add machines.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jaz]

I'm sorry,

Where exactly is this? Am I creating a new Organizational Group and setting
this policy or does this already exist elsewhere?

Thanks,
Jasper

 

[Joe Richards [MVP]]

Set the atttribute ms-DS-MachineAccountQuota on the head of the domain
NC to 0.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Richard Mueller [MVP]]

Its a Group Policy setting. Check into Group Policy and GPO's. They can be
applied to the domain or OU's. In ADUC right click the domain or OU, select
Properties, select the Group Policy tab, select the policy, and click Edit.
Per-Torben gave the path to navigate to find the setting, except I find it
is:

Computer Configuration, Windows Settings, Security Settings, Local Policies,
User Rights Assignment, Add workstations to doamin

It would apply to all computers in the domain or OU. Joe Richards'
suggestion would apply to the domain. You could use ADSI Edit to modify. The
default value is 10.

 

[Paul Bergson [MVP-DS]]

That will reset for all?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Paul Bergson [MVP-DS]]

Never mind I found a detail explanation on Paul's website.

http://www.msresource.net/content/view/59/46/

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jorge de Almeida Pinto [MVP - DS]]

also see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx