Solved

Preventing Domain Users from joining computer accounts to Domain

Posted on 2006-06-12
13
301 Views
Last Modified: 2010-03-18
I want to prevent the Domain Users group from joining computer accounts to my domain.  I have edited the Default Domain Controllers GPO and removed authenticated users and added Domain Admins?  I then refreshed policy on all domain controllers and I can still join with a Domain User Account.  What am I missing?

Frank
0
Comment
Question by:CarrBusinessSystems
  • 4
  • 3
  • 3
  • +3
13 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16887455
A normal 'domain user account' can't add a computer to the domain anyways, have you looked at your full GPO policy ?

Smell a problem there!

Cheers,
Rajesh
0
 

Author Comment

by:CarrBusinessSystems
ID: 16888468
I have read in a few places that "Domain Users" by default in a Windows 2003 domain can add up to 10 computers.  This must be true because it held up when I tested it.  That is why I removed the Authenticated Users off of the "Add computers to Domain" for the Default Domain Controller Policy.  What I am looking to do is to turn this option off so Domain Users can not add any computer accounts to the domain.

Frank
0
 
LVL 13

Expert Comment

by:2hype
ID: 16889892
I dont think a regual user can add a computer to the domain without some elevated privleges.  I think the only way the can do it if you as an administrator Add the computer name information to Active Directory computers before hand.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16890126
i am with rajesh, there is something here you are missing, my guess is that you have made the domain user an admin somewhere along the line, by default, a domain user can't - from my experience anyway

what exactly do you mean by joining, what process are you taking, you would have a local user logged on before your domain user can log on anyway so something is going on
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16891526
Frank,

  Since 3 of us don't understand, can you elaborate on when it all started and how ?

Cheers,
Rajesh
0
 
LVL 4

Expert Comment

by:mattbcs
ID: 16891928
Try opening up the domain users default group. Click on the "member of" tab, and make sure that there is not any memberships in there.

I once ran into a similar problem where a newbie wanted to give everyone the equivalent of local admin rights, so he added the domain users group to the domain admins group.

This definitely sounds like it's AD related, and a GPO is highly unlikely to allow a user elevated privliges.

- Matt
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 
LVL 14

Expert Comment

by:FriarTuk
ID: 16892869
from an nt4 pc to a 2k domain, yes 10 is the limit per the CAUSE in this kb
http://support.microsoft.com/kb/251335/en-us
0
 

Author Comment

by:CarrBusinessSystems
ID: 16896041
Guys,

Here is what is going on - This is a brand new child domain in a current forest.  Windows 2003 native.  I had a member of the "Domain Users" group tell me that they joined a computer to a domain.  I did not think this was possible either so I tested it with a dummy acount - that has no other group memberships except to "Domain Users" and it allowed me to join a computer to the domain.  After doing some research and digging I found that on the "Default Domain Controller" GPO under Windows Settings->Sercurity Settings-> Local Policies->User Rights assignment there is and option called "Add workstations to domain".  By default the "Authenticated Users" group was in the properties of that object.  I removed "Authenticated Users" from that object.  I made sure that AD Replicated and tried again and was able to add another PC to the domain with the dummy account.  So my question is how to stop all user accounts (except the Domain Admins) from joining computer accounts to the domain.  I hope that clears up the confusion a bit.  I also posted on Microsoft's newsgroups to see if there was someone who knew the answer there.

Frank
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16896078
Oh ok. Did you look at the link provided above by FriarTuk ? In there, go to the method 3 and try to set the quota value to 0 and see if it helps.

Cheers,
Rajesh
0
 
LVL 14

Expert Comment

by:FriarTuk
ID: 16899819
thx, as that is what i was referring to as well as reversing method 2 by unchecking those options for authenticated users
0
 

Author Comment

by:CarrBusinessSystems
ID: 16910971
Sorry I did not get to post yesterday but I tried Method 3 and that did the trick.  Thanks for your help guys.

Frank
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16911128
Glad you got it fixed.

Cheers,
Rajesh
0
 
LVL 14

Accepted Solution

by:
FriarTuk earned 125 total points
ID: 16919301
that's great!  now to close you can accept my comment with the link as the answer - http://www.experts-exchange.com/help.jsp#hi68
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now