Solved

"Add Workstations to domain" Domain security policy??

Posted on 2004-04-27
4
1,085 Views
Last Modified: 2013-12-04
I recently found out that all the users on my domain can add workstations to the doamin.  I am running a Windows 2000/2003 domain.  All DC's are Windows 2000 server boxes.  After checking the domain security policy, I found that "Add workstations to domail" was not defined.  I did define the policy but adding only domain admins and enterprise admins but it appears that I can add and remove machines from my domain using just a regular user.  I did reload after defining the policy.  Am i missing something or what is the best way to limit only admins to be able to add machines to the domain.  Thanks in advance for your help. jt
0
Comment
Question by:kbws1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10931519
Only Admins should be allowed. If that was not defined did you check to see what memberships these users had? Make sure they weren't members of any domain administrators or administrators group. Or that perhaps Domain Users or Users isnt a part of any domain admin or admin group.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10931531
Its either coming from group policy or your users have to many rights else where?

Users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only 10 computer accounts. In addition, computer accounts that are created by means of Add workstations to domain have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right.

Look in this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

0
 
LVL 84

Accepted Solution

by:
oBdA earned 125 total points
ID: 10932874
That's by design. In a W2k domain, an authenticated user can join up to a maximum of ten machines to a domain.
"Method 3" in the first article describes how to change that number.
If you need to install the W2k Support Tools, do *not* install them from the CD; some of the files get updated by Service Packs as well, so download the current version from the link below.

Domain Users Cannot Join Workstation or Server to a Domain
http://support.microsoft.com/default.aspx?kbid=251335

"You Have Exceeded the Maximum Number of Computer Accounts" Error Message When You Try to Join a Windows XP Computer to a Windows 2000 Domain
http://support.microsoft.com/default.aspx?kbid=314462

Windows 2000 SP4 Support Tools
http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/supporttools.asp
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Permission issue? 10 84
Read-only access for auditors 5 97
SHA2 certs for IIS AND Java? 2 136
how to tell if SMBv1 is enabled on a server or workstation? 3 52
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question