STRANGE: all uses can add computers to domain

[Hello Guys]

Hello All

I have something odd happening on my W2K AD domain:
ALL of our users have the permission to add computers to
our domain. They can also all rename computers. This is
bizarre. There is no GPO settings that is allowing this.

Anyone have any ideas?

Thank you, Jo

 

[Michael Schipp]

by default all user can do this 10 times.

 

[Jeromy Statia [MSFT]]

Michael Schipp is correct by default.

This is because of a Security Object on the Domain Root for Creator Owner
which applies to Computer objects only.

refer to the following document for some understanding of why this is:
http://www.windowsitlibrary.com/Content/667/04/4.html
Securing Active Directory
In particular pay attention to the CREATOR OWNER section

tx

 

[Deji Akomolafe]

You can prevent this "feature" by modify your Default Domain Policy

Computer Configuration
Windows Settings
Local Policies
User Rights Assignment
Add Workstations to the Domain

Add the Users/Group that YOU WANT to give this Rights to, and everyone
else will be SOL.

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

[Jo]

I tried this and they all still can add a computer to the
domain. VERY ODD.

 

[Michael Schipp]

How many GP's do you have? If more then one make sure that no other group
policy is overwrinting it.

Also check if any policy have No override on.

(it does work as I also use it)

Thank you,
Michael

I tried this and they all still can add a computer to the
domain. VERY ODD.