Default Rights

[John Hiebert]

I have AD running on 2003, not 2000, but this is the closest newsgroup I
found.

Can anyone confirm that by default, any domain user can add/remove a
computer from AD if that have admin rights to the local workstation?

If this is true, what do I need to remove to prohibit domain users from
adding and removing workstations from the domain?

Thanks

 

[Johan Arwidmark]

By default, authenticated users can add 10 workstations to a domain.

You can remove this permission...


regards
Johan Arwidmark

Windows User Group - Nordic
http://www.wug-nordic.net

 

[Chriss3]

indeed.

Override the Default Limit of the Number of Computers an Authenticated User
Can Join to a Domain
You can override the default limit, using either of the following methods:
a.. Use the Ldp (Ldp.exe) tool included in the Microsoft Windows 2000
Resource Kit.
b.. Use an Active Directory Services Interface (ADSI) script to increase
or decrease the value of the Active Directory ms-DS-MachineAccountQuota
attribute. To do this:
1.. Install the Windows 2000 Support tools if they have not already been
installed. To install these tools, run Setup.exe from the Support\Tools
folder on the Windows 2000 Server or the Windows 2000 Professional CD-ROM.
2.. Run Adsiedit.msc as an administrator of the domain.
3.. Expand the Domain NC node. This node contains an object that begins
with "DC=" and reflects the correct domain name. Right-click this object,
and then click Properties.
4.. In the Select which properties to view box, click Both.
5.. In the Select a property to view box, click
ms-DS-MachineAccountQuota.
6.. In the Edit Attribute box, type a number. This number represents the
number of workstations that you want users to be able to maintain
concurrently.
7.. Click Set, and then click OK.