[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Restrict permissions to only allow joining PCs to Domain

Posted on 2004-10-27
Medium Priority
Last Modified: 2008-03-03
Because of all the new security regulations being pushed on us I need to buckle down on the permissions in our domain.  We currently have a userID setup in AD that is used to join the domain automatically in SysPrep on a new image. The password is set to never change (a security risk), but I can live with that if the userID is locked down and can ONLY join computers to the domain.  I don't want it to be able to login or do anything else.  Is this possible?
Question by:dannyd74
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 11

Expert Comment

ID: 12425519
A roaming profile would be one solution.  That way, the user that is logging on has his/her profile located on the server and is loaded every time they loggon - no matter which computer.

Author Comment

ID: 12426806
The userID is not associated with a real person.  The userID is simply there in the sysprep answer file to automatically join the domain on a new image.  That's its only role.

Expert Comment

ID: 12427893
I don't see why you couldn't do that, but I think it might not be a good idea. Accounts that don't have real people attached to them have a way of taking on a life of their own. Even though your intent is for the user account to never be able to do anything other than join machines to the domain, somewhere down the road, somebody will end up putting it in a group that has more rights than you wanted and so forth.

I've lived out this scenario. A number of us once had to work late to patch machines so we created a user id and a login script that ran the commands needed to patch the machine so we would only have to logon to the machine and move on to the next. We had every intention of using this for two nights. Months later, we were arguing with management because the help desk felt like they needed an account with domain administrator priviliges and they wanted to use this generic account that we had not been allowed to delete because it was handy. Cripes. The help desk with domain admin rights with a generic user id to boot!  

It is always best to stick to your guns and make people use their own user id's and passwords. If help desk technicians are going to be installing the images, let them have the privileges they need. It may not be as convenient, but it will absolutely be worth it to you and the security of your network in the long haul.

Accepted Solution

_anom_ earned 400 total points
ID: 12441213
Sure this is possible -- simply add change the account in AD such that it cannot log on to any workstations (in the account tab-->log on to... button iirc).  Then, in your domain security policy in the User Rights Assignment section add the username (or perhaps make a "joiner" group) to the "Add workstations to domain" setting.


Author Comment

ID: 12444015
Thanks anom.

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out what's been happening in the Experts Exchange community.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question