[Webinar] Streamline your web hosting managementRegister Today


Restrict permissions to only allow joining PCs to Domain

Posted on 2004-10-27
Medium Priority
Last Modified: 2008-03-03
Because of all the new security regulations being pushed on us I need to buckle down on the permissions in our domain.  We currently have a userID setup in AD that is used to join the domain automatically in SysPrep on a new image. The password is set to never change (a security risk), but I can live with that if the userID is locked down and can ONLY join computers to the domain.  I don't want it to be able to login or do anything else.  Is this possible?
Question by:dannyd74
LVL 11

Expert Comment

ID: 12425519
A roaming profile would be one solution.  That way, the user that is logging on has his/her profile located on the server and is loaded every time they loggon - no matter which computer.

Author Comment

ID: 12426806
The userID is not associated with a real person.  The userID is simply there in the sysprep answer file to automatically join the domain on a new image.  That's its only role.

Expert Comment

ID: 12427893
I don't see why you couldn't do that, but I think it might not be a good idea. Accounts that don't have real people attached to them have a way of taking on a life of their own. Even though your intent is for the user account to never be able to do anything other than join machines to the domain, somewhere down the road, somebody will end up putting it in a group that has more rights than you wanted and so forth.

I've lived out this scenario. A number of us once had to work late to patch machines so we created a user id and a login script that ran the commands needed to patch the machine so we would only have to logon to the machine and move on to the next. We had every intention of using this for two nights. Months later, we were arguing with management because the help desk felt like they needed an account with domain administrator priviliges and they wanted to use this generic account that we had not been allowed to delete because it was handy. Cripes. The help desk with domain admin rights with a generic user id to boot!  

It is always best to stick to your guns and make people use their own user id's and passwords. If help desk technicians are going to be installing the images, let them have the privileges they need. It may not be as convenient, but it will absolutely be worth it to you and the security of your network in the long haul.

Accepted Solution

_anom_ earned 400 total points
ID: 12441213
Sure this is possible -- simply add change the account in AD such that it cannot log on to any workstations (in the account tab-->log on to... button iirc).  Then, in your domain security policy in the User Rights Assignment section add the username (or perhaps make a "joiner" group) to the "Add workstations to domain" setting.


Author Comment

ID: 12444015
Thanks anom.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking to start a business? Do you own and operate a small company? If so, here are some courses you need to take before you hire a full-time IT staff.
A question that many companies need to answer until May 25th of 2018... Is your company ready for GDPR?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question