Restrict permissions to only allow joining PCs to Domain

Posted on 2004-10-27
Last Modified: 2008-03-03
Because of all the new security regulations being pushed on us I need to buckle down on the permissions in our domain.  We currently have a userID setup in AD that is used to join the domain automatically in SysPrep on a new image. The password is set to never change (a security risk), but I can live with that if the userID is locked down and can ONLY join computers to the domain.  I don't want it to be able to login or do anything else.  Is this possible?
Question by:dannyd74
    LVL 11

    Expert Comment

    A roaming profile would be one solution.  That way, the user that is logging on has his/her profile located on the server and is loaded every time they loggon - no matter which computer.

    Author Comment

    The userID is not associated with a real person.  The userID is simply there in the sysprep answer file to automatically join the domain on a new image.  That's its only role.
    LVL 4

    Expert Comment

    I don't see why you couldn't do that, but I think it might not be a good idea. Accounts that don't have real people attached to them have a way of taking on a life of their own. Even though your intent is for the user account to never be able to do anything other than join machines to the domain, somewhere down the road, somebody will end up putting it in a group that has more rights than you wanted and so forth.

    I've lived out this scenario. A number of us once had to work late to patch machines so we created a user id and a login script that ran the commands needed to patch the machine so we would only have to logon to the machine and move on to the next. We had every intention of using this for two nights. Months later, we were arguing with management because the help desk felt like they needed an account with domain administrator priviliges and they wanted to use this generic account that we had not been allowed to delete because it was handy. Cripes. The help desk with domain admin rights with a generic user id to boot!  

    It is always best to stick to your guns and make people use their own user id's and passwords. If help desk technicians are going to be installing the images, let them have the privileges they need. It may not be as convenient, but it will absolutely be worth it to you and the security of your network in the long haul.
    LVL 3

    Accepted Solution

    Sure this is possible -- simply add change the account in AD such that it cannot log on to any workstations (in the account tab-->log on to... button iirc).  Then, in your domain security policy in the User Rights Assignment section add the username (or perhaps make a "joiner" group) to the "Add workstations to domain" setting.


    Author Comment

    Thanks anom.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Learn The Basics of Ethical Hacking & Pen Testing

    Computer and network security is one of the fastest growing and most essential industries in technology, meaning companies will pay big bucks for ethical hackers. This is the perfect course to leap into this lucrative career, learning how to use ethical hacking to reveal ...

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    934 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now