• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1101
  • Last Modified:

"Add Workstations to domain" Domain security policy??

I recently found out that all the users on my domain can add workstations to the doamin.  I am running a Windows 2000/2003 domain.  All DC's are Windows 2000 server boxes.  After checking the domain security policy, I found that "Add workstations to domail" was not defined.  I did define the policy but adding only domain admins and enterprise admins but it appears that I can add and remove machines from my domain using just a regular user.  I did reload after defining the policy.  Am i missing something or what is the best way to limit only admins to be able to add machines to the domain.  Thanks in advance for your help. jt
0
kbws1
Asked:
kbws1
1 Solution
 
Gareth GudgerCommented:
Only Admins should be allowed. If that was not defined did you check to see what memberships these users had? Make sure they weren't members of any domain administrators or administrators group. Or that perhaps Domain Users or Users isnt a part of any domain admin or admin group.
0
 
Pete LongTechnical ConsultantCommented:
Its either coming from group policy or your users have to many rights else where?

Users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only 10 computer accounts. In addition, computer accounts that are created by means of Add workstations to domain have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right.

Look in this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

0
 
oBdACommented:
That's by design. In a W2k domain, an authenticated user can join up to a maximum of ten machines to a domain.
"Method 3" in the first article describes how to change that number.
If you need to install the W2k Support Tools, do *not* install them from the CD; some of the files get updated by Service Packs as well, so download the current version from the link below.

Domain Users Cannot Join Workstation or Server to a Domain
http://support.microsoft.com/default.aspx?kbid=251335

"You Have Exceeded the Maximum Number of Computer Accounts" Error Message When You Try to Join a Windows XP Computer to a Windows 2000 Domain
http://support.microsoft.com/default.aspx?kbid=314462

Windows 2000 SP4 Support Tools
http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/supporttools.asp
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now