Solved

"Add Workstations to domain" Domain security policy??

Posted on 2004-04-27
4
1,083 Views
Last Modified: 2013-12-04
I recently found out that all the users on my domain can add workstations to the doamin.  I am running a Windows 2000/2003 domain.  All DC's are Windows 2000 server boxes.  After checking the domain security policy, I found that "Add workstations to domail" was not defined.  I did define the policy but adding only domain admins and enterprise admins but it appears that I can add and remove machines from my domain using just a regular user.  I did reload after defining the policy.  Am i missing something or what is the best way to limit only admins to be able to add machines to the domain.  Thanks in advance for your help. jt
0
Comment
Question by:kbws1
4 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10931519
Only Admins should be allowed. If that was not defined did you check to see what memberships these users had? Make sure they weren't members of any domain administrators or administrators group. Or that perhaps Domain Users or Users isnt a part of any domain admin or admin group.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10931531
Its either coming from group policy or your users have to many rights else where?

Users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only 10 computer accounts. In addition, computer accounts that are created by means of Add workstations to domain have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right.

Look in this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

0
 
LVL 84

Accepted Solution

by:
oBdA earned 125 total points
ID: 10932874
That's by design. In a W2k domain, an authenticated user can join up to a maximum of ten machines to a domain.
"Method 3" in the first article describes how to change that number.
If you need to install the W2k Support Tools, do *not* install them from the CD; some of the files get updated by Service Packs as well, so download the current version from the link below.

Domain Users Cannot Join Workstation or Server to a Domain
http://support.microsoft.com/default.aspx?kbid=251335

"You Have Exceeded the Maximum Number of Computer Accounts" Error Message When You Try to Join a Windows XP Computer to a Windows 2000 Domain
http://support.microsoft.com/default.aspx?kbid=314462

Windows 2000 SP4 Support Tools
http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/supporttools.asp
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question