Local Security Policy on a DC

[Ben]

I have an AD forest 1 domain (X) with 2 DCs (A and B).
DC A has no local security policy defined. (all default)
DC B does have some local security policy items defined,
namely the "add wkstations to domain" which now is set to
allow authenticated users. (the rest is default)
DC A has no domain controller security policy defined.
(default)
DC B also has no domain controller security policy
defined. (default)
Domain X has no domain security policy defined. (default)

Fact: Some domain authenticated users can add workstations
to the domain while others cannot.

Question: IF DC B had the local policy defined with
the "add wkstns to domain" defined BEFORE it was a DC
(standalone server) when it was added would the local
security policy be included in the domain security
policy? How else might that policy be handled?
Also since some authenticated users can add workstations
while others can't does that suggest that users being
authenticated by DC A do not get that privelege while
those users being authenticated by DC B do?

All other levels being equal like the GPO and even AD
structure (LDAP/ ADSI).

 

[Steven L Umbach]

That user right assignment should be configured at the Domain Controller Security
Policy level so that it is applied consistently to all domain controllers.I think you
will see consistent results after doing that assuming rest of domain configuration is
correct, particularly dns configuration. --- Steve

 

[Ben]

Steve while I agree with your advice, and would do the
same myself, I have recently inherited this configuration
problem. So the fact is it exists and I am curious to
find answers to the questions posed below.

-----Original Message-----
That user right assignment should be configured at the Domain Controller Security
Policy level so that it is applied consistently to all domain controllers.I think you
will see consistent results after doing that assuming

rest of domain configuration is

 

[Steven L Umbach]

OK. When a W2K server is promoted to a dc the dcsecurity.inf template is applied to
it during the process. That template however does not have any user rights
assignments defined, so existing user right assignments on the newly promoted domain
controller should be unchanged. The Domain Controller Security Policy does by default
have all user right assignments defined including having authenticated users and
administrators in the user right assignment for "add workstations to the domain". The
Domain Controller Security policy will override any user rights assignments in the
Local Security Policy of a domain controller as shown in "effective" settings hence
all authenticated user should have the user right assignment to add workstations to
the domain. That user right by default allows a user the right to add ten
workstations to the domain so possibly some users have already met their limit. ---
Steve

 

[Ben]

Steve, Thanks again.

I had thought of that knowing that we haven't changed the
ms-ds-MachineAccountQuota from it's default value of 10.
When I asked the users though 1 of them mentioned he has
added to his reccollection more than 10 machines to the
domain, while the other in comparison has not been able to
add any.
You mentioned "The Domain Controller Security Policy does
by default have all user right assignments defined
including having authenticated users and administrators in
the user right assignment for "add workstations to the
domain"." however, the domain controller security policy
for that entry in this instance is "not defined" while the
local security policy has "administrators and
authenticated users defined"

Seems odd to me any thoughts considering this information?

-----Original Message-----
OK. When a W2K server is promoted to a dc the

dcsecurity.inf template is applied to

it during the process. That template however does not have any user rights
assignments defined, so existing user right assignments on the newly promoted domain
controller should be unchanged. The Domain Controller

Security Policy does by default

have all user right assignments defined including having authenticated users and
administrators in the user right assignment for "add

workstations to the domain". The

Domain Controller Security policy will override any user rights assignments in the
Local Security Policy of a domain controller as shown in "effective" settings hence
all authenticated user should have the user right

assignment to add workstations to

 

[Steven L Umbach]

Steve, Thanks again.

I had thought of that knowing that we haven't changed the
ms-ds-MachineAccountQuota from it's default value of 10.
When I asked the users though 1 of them mentioned he has
added to his reccollection more than 10 machines to the
domain, while the other in comparison has not been able to
add any.
You mentioned "The Domain Controller Security Policy does
by default have all user right assignments defined
including having authenticated users and administrators in
the user right assignment for "add workstations to the
domain"." however, the domain controller security policy
for that entry in this instance is "not defined" while the
local security policy has "administrators and
authenticated users defined"

Seems odd to me any thoughts considering this information?

dcsecurity.inf template is applied to
Security Policy does by default
workstations to the domain". The
assignment to add workstations to

 

[Steven L Umbach]

In a default installation of a W2K Active Directory domain, that user right
is defined in Domain Controller Security Policy as I mentioned so apparently
somebody changed it for some reason. Since you have an unusual configuration
perhaps a user is allowed to add a computer when they access that particular
domain controller during the process and that is just a guess. If a user is
able to add more than ten computers, then they probably were delegated the
authority to create computer objects in the domain as described in KB link
below. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;251335