Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 309
  • Last Modified:

Preventing Domain Users from joining computer accounts to Domain

I want to prevent the Domain Users group from joining computer accounts to my domain.  I have edited the Default Domain Controllers GPO and removed authenticated users and added Domain Admins?  I then refreshed policy on all domain controllers and I can still join with a Domain User Account.  What am I missing?

Frank
0
CarrBusinessSystems
Asked:
CarrBusinessSystems
  • 4
  • 3
  • 3
  • +3
1 Solution
 
rsivanandanCommented:
A normal 'domain user account' can't add a computer to the domain anyways, have you looked at your full GPO policy ?

Smell a problem there!

Cheers,
Rajesh
0
 
CarrBusinessSystemsAuthor Commented:
I have read in a few places that "Domain Users" by default in a Windows 2003 domain can add up to 10 computers.  This must be true because it held up when I tested it.  That is why I removed the Authenticated Users off of the "Add computers to Domain" for the Default Domain Controller Policy.  What I am looking to do is to turn this option off so Domain Users can not add any computer accounts to the domain.

Frank
0
 
2hypeCommented:
I dont think a regual user can add a computer to the domain without some elevated privleges.  I think the only way the can do it if you as an administrator Add the computer name information to Active Directory computers before hand.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Jay_Jay70Commented:
i am with rajesh, there is something here you are missing, my guess is that you have made the domain user an admin somewhere along the line, by default, a domain user can't - from my experience anyway

what exactly do you mean by joining, what process are you taking, you would have a local user logged on before your domain user can log on anyway so something is going on
0
 
rsivanandanCommented:
Frank,

  Since 3 of us don't understand, can you elaborate on when it all started and how ?

Cheers,
Rajesh
0
 
mattbcsCommented:
Try opening up the domain users default group. Click on the "member of" tab, and make sure that there is not any memberships in there.

I once ran into a similar problem where a newbie wanted to give everyone the equivalent of local admin rights, so he added the domain users group to the domain admins group.

This definitely sounds like it's AD related, and a GPO is highly unlikely to allow a user elevated privliges.

- Matt
0
 
FriarTukCommented:
from an nt4 pc to a 2k domain, yes 10 is the limit per the CAUSE in this kb
http://support.microsoft.com/kb/251335/en-us
0
 
CarrBusinessSystemsAuthor Commented:
Guys,

Here is what is going on - This is a brand new child domain in a current forest.  Windows 2003 native.  I had a member of the "Domain Users" group tell me that they joined a computer to a domain.  I did not think this was possible either so I tested it with a dummy acount - that has no other group memberships except to "Domain Users" and it allowed me to join a computer to the domain.  After doing some research and digging I found that on the "Default Domain Controller" GPO under Windows Settings->Sercurity Settings-> Local Policies->User Rights assignment there is and option called "Add workstations to domain".  By default the "Authenticated Users" group was in the properties of that object.  I removed "Authenticated Users" from that object.  I made sure that AD Replicated and tried again and was able to add another PC to the domain with the dummy account.  So my question is how to stop all user accounts (except the Domain Admins) from joining computer accounts to the domain.  I hope that clears up the confusion a bit.  I also posted on Microsoft's newsgroups to see if there was someone who knew the answer there.

Frank
0
 
rsivanandanCommented:
Oh ok. Did you look at the link provided above by FriarTuk ? In there, go to the method 3 and try to set the quota value to 0 and see if it helps.

Cheers,
Rajesh
0
 
FriarTukCommented:
thx, as that is what i was referring to as well as reversing method 2 by unchecking those options for authenticated users
0
 
CarrBusinessSystemsAuthor Commented:
Sorry I did not get to post yesterday but I tried Method 3 and that did the trick.  Thanks for your help guys.

Frank
0
 
rsivanandanCommented:
Glad you got it fixed.

Cheers,
Rajesh
0
 
FriarTukCommented:
that's great!  now to close you can accept my comment with the link as the answer - http://www.experts-exchange.com/help.jsp#hi68
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now