Prevent users from joining Computers to domain?

Barkley Bees · Jun 12, 2008

I am planning to rework how our users join PC's to our domain for
security/management purposes. I know that by default users can join up to 10
workstations to the domain without any special permissions required. I am
guessing that as a first step I would need to use ADSI Edit on the PDC and
change the "ms-DS-MachineAccountQuota" value to "0". This would then allow
only the Account Operators group (and higher) to join PC's to the domain.

Ultimately, we would like the process to be as follows:

1 - User requests to helpdesk to join a PC to the domain (user cannot join
the PC to the domain on their own).

2 - Helpdesk creates the Computer object with specified name in AD and
assigns domain join permissions to the specific user.
("the following user or group can join this computer to a domain").

3 - User then joins the Computer with the same name to the domain.

I would appreciate any feedback and/or sound advice on this. Thanks very
much.

Jorge de Almeida Pinto [MVP - DS] · Jun 12, 2008

have a look at:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

Meinolf Weber · Jun 12, 2008

Hello barkley,

See here:
http://support.microsoft.com/kb/932455

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Barkley Bees · Jun 12, 2008

Thanks for your reply Jorge. Very informative blog post. That said, would
there be anything particularly wrong with the process I outlined below? I
ask because management wants the process to be as I outlined below:

Use ADSI Edit on the PDC and change the "ms-DS-MachineAccountQuota" value to
"0" so only Account Operators and higher can join computers to the domain.

1 - User requests to helpdesk to join a PC to the domain (user cannot join
the PC to the domain on their own).

2 - Helpdesk creates the Computer object with specified name in AD and
assigns domain join permissions to the specific user. ("the following user
or group can join this computer to a domain").

3 - User then joins the Computer with the same name to the domain.

"Jorge de Almeida Pinto [MVP - DS]"

Jorge de Almeida Pinto [MVP - DS] · Jun 12, 2008

no, not really. The only thing that I do not like is confguring individual
permissions on computer objects. It sounds like you want to give a bit of
the work to the user. That's OK with me. However I would do it a bit
different. Same idea, but a bit different

What you could do is on the OU configure the permissions to join a computer
to the domain. see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

when a user requests to join his computer, he/she needs to give you a
computer name so that you can pre-create the computer object. As soon as the
object has been pre-created, put the users account in the JOIN-GROUP. Tell
him/her to do this within X days. After that remove him/her frmo that
JOIN-group again.

adjusting ms-DS-MachineAccountQuota to 0 or removing auth users from that
user right as I mention in the same post is basically the same

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

Barkley Bees said:
Thanks for your reply Jorge. Very informative blog post. That said, would
there be anything particularly wrong with the process I outlined below? I
ask because management wants the process to be as I outlined below:

Use ADSI Edit on the PDC and change the "ms-DS-MachineAccountQuota" value
to "0" so only Account Operators and higher can join computers to the
domain.

1 - User requests to helpdesk to join a PC to the domain (user cannot
join the PC to the domain on their own).

2 - Helpdesk creates the Computer object with specified name in AD and
assigns domain join permissions to the specific user. ("the following user
or group can join this computer to a domain").

3 - User then joins the Computer with the same name to the domain.

"Jorge de Almeida Pinto [MVP - DS]"

have a look at:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

Click to expand...