should I allow untrusted computers to join my AD domain?

[FarO]

Is there any danger in allowing untrusted computers to join my AD domain?

I can see that allowing untrusted _users_ to join my domain is a bad
idea, because they automatically get access to all kinds of objects. But
what about _computers_ ?

When a computer joins the domain, it will be put in the OU Computers and
in the security group Domain Computers. As far as I can see, the only
"benefit" it gets from joining my domain is that it will have to conform
to some group policies.

Or are there some vulnerabilities I am missing?

F O

 

[Joe Richards [MVP]]

In Windows 2000 and AD, computers are users. You give me a computer account in your AD and I can read your AD just like
a normal user can. Even better, I can create stuff in your directory even if don't allow normal users to unless you have
taken the steps to lock things down.

 

[Steven L Umbach]

The biggest issue I see is if you are using ipsec policies with kerberos
authentication to protect data in a domain, a computer would need to be a member of
the domain/forest before a user could try to gain access to that data because machine
authentication would fail. Same could be said about security options to some degree
such as smb signing, though those could be set on Local Security Policy to be
compatible. --- Steve