CarrBusinessSystems
asked on
Preventing Domain Users from joining computer accounts to Domain
I want to prevent the Domain Users group from joining computer accounts to my domain. I have edited the Default Domain Controllers GPO and removed authenticated users and added Domain Admins? I then refreshed policy on all domain controllers and I can still join with a Domain User Account. What am I missing?
Frank
Frank
ASKER
I have read in a few places that "Domain Users" by default in a Windows 2003 domain can add up to 10 computers. This must be true because it held up when I tested it. That is why I removed the Authenticated Users off of the "Add computers to Domain" for the Default Domain Controller Policy. What I am looking to do is to turn this option off so Domain Users can not add any computer accounts to the domain.
Frank
Frank
I dont think a regual user can add a computer to the domain without some elevated privleges. I think the only way the can do it if you as an administrator Add the computer name information to Active Directory computers before hand.
i am with rajesh, there is something here you are missing, my guess is that you have made the domain user an admin somewhere along the line, by default, a domain user can't - from my experience anyway
what exactly do you mean by joining, what process are you taking, you would have a local user logged on before your domain user can log on anyway so something is going on
what exactly do you mean by joining, what process are you taking, you would have a local user logged on before your domain user can log on anyway so something is going on
Frank,
Since 3 of us don't understand, can you elaborate on when it all started and how ?
Cheers,
Rajesh
Since 3 of us don't understand, can you elaborate on when it all started and how ?
Cheers,
Rajesh
Try opening up the domain users default group. Click on the "member of" tab, and make sure that there is not any memberships in there.
I once ran into a similar problem where a newbie wanted to give everyone the equivalent of local admin rights, so he added the domain users group to the domain admins group.
This definitely sounds like it's AD related, and a GPO is highly unlikely to allow a user elevated privliges.
- Matt
I once ran into a similar problem where a newbie wanted to give everyone the equivalent of local admin rights, so he added the domain users group to the domain admins group.
This definitely sounds like it's AD related, and a GPO is highly unlikely to allow a user elevated privliges.
- Matt
from an nt4 pc to a 2k domain, yes 10 is the limit per the CAUSE in this kb
http://support.microsoft.com/kb/251335/en-us
http://support.microsoft.com/kb/251335/en-us
ASKER
Guys,
Here is what is going on - This is a brand new child domain in a current forest. Windows 2003 native. I had a member of the "Domain Users" group tell me that they joined a computer to a domain. I did not think this was possible either so I tested it with a dummy acount - that has no other group memberships except to "Domain Users" and it allowed me to join a computer to the domain. After doing some research and digging I found that on the "Default Domain Controller" GPO under Windows Settings->Sercurity Settings-> Local Policies->User Rights assignment there is and option called "Add workstations to domain". By default the "Authenticated Users" group was in the properties of that object. I removed "Authenticated Users" from that object. I made sure that AD Replicated and tried again and was able to add another PC to the domain with the dummy account. So my question is how to stop all user accounts (except the Domain Admins) from joining computer accounts to the domain. I hope that clears up the confusion a bit. I also posted on Microsoft's newsgroups to see if there was someone who knew the answer there.
Frank
Here is what is going on - This is a brand new child domain in a current forest. Windows 2003 native. I had a member of the "Domain Users" group tell me that they joined a computer to a domain. I did not think this was possible either so I tested it with a dummy acount - that has no other group memberships except to "Domain Users" and it allowed me to join a computer to the domain. After doing some research and digging I found that on the "Default Domain Controller" GPO under Windows Settings->Sercurity Settings-> Local Policies->User Rights assignment there is and option called "Add workstations to domain". By default the "Authenticated Users" group was in the properties of that object. I removed "Authenticated Users" from that object. I made sure that AD Replicated and tried again and was able to add another PC to the domain with the dummy account. So my question is how to stop all user accounts (except the Domain Admins) from joining computer accounts to the domain. I hope that clears up the confusion a bit. I also posted on Microsoft's newsgroups to see if there was someone who knew the answer there.
Frank
Oh ok. Did you look at the link provided above by FriarTuk ? In there, go to the method 3 and try to set the quota value to 0 and see if it helps.
Cheers,
Rajesh
Cheers,
Rajesh
thx, as that is what i was referring to as well as reversing method 2 by unchecking those options for authenticated users
ASKER
Sorry I did not get to post yesterday but I tried Method 3 and that did the trick. Thanks for your help guys.
Frank
Frank
Glad you got it fixed.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Smell a problem there!
Cheers,
Rajesh