Solved

Preventing Domain Users from joining computer accounts to Domain

Posted on 2006-06-12
13
300 Views
Last Modified: 2010-03-18
I want to prevent the Domain Users group from joining computer accounts to my domain.  I have edited the Default Domain Controllers GPO and removed authenticated users and added Domain Admins?  I then refreshed policy on all domain controllers and I can still join with a Domain User Account.  What am I missing?

Frank
0
Comment
Question by:CarrBusinessSystems
  • 4
  • 3
  • 3
  • +3
13 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16887455
A normal 'domain user account' can't add a computer to the domain anyways, have you looked at your full GPO policy ?

Smell a problem there!

Cheers,
Rajesh
0
 

Author Comment

by:CarrBusinessSystems
ID: 16888468
I have read in a few places that "Domain Users" by default in a Windows 2003 domain can add up to 10 computers.  This must be true because it held up when I tested it.  That is why I removed the Authenticated Users off of the "Add computers to Domain" for the Default Domain Controller Policy.  What I am looking to do is to turn this option off so Domain Users can not add any computer accounts to the domain.

Frank
0
 
LVL 13

Expert Comment

by:2hype
ID: 16889892
I dont think a regual user can add a computer to the domain without some elevated privleges.  I think the only way the can do it if you as an administrator Add the computer name information to Active Directory computers before hand.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16890126
i am with rajesh, there is something here you are missing, my guess is that you have made the domain user an admin somewhere along the line, by default, a domain user can't - from my experience anyway

what exactly do you mean by joining, what process are you taking, you would have a local user logged on before your domain user can log on anyway so something is going on
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16891526
Frank,

  Since 3 of us don't understand, can you elaborate on when it all started and how ?

Cheers,
Rajesh
0
 
LVL 4

Expert Comment

by:mattbcs
ID: 16891928
Try opening up the domain users default group. Click on the "member of" tab, and make sure that there is not any memberships in there.

I once ran into a similar problem where a newbie wanted to give everyone the equivalent of local admin rights, so he added the domain users group to the domain admins group.

This definitely sounds like it's AD related, and a GPO is highly unlikely to allow a user elevated privliges.

- Matt
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 14

Expert Comment

by:FriarTuk
ID: 16892869
from an nt4 pc to a 2k domain, yes 10 is the limit per the CAUSE in this kb
http://support.microsoft.com/kb/251335/en-us
0
 

Author Comment

by:CarrBusinessSystems
ID: 16896041
Guys,

Here is what is going on - This is a brand new child domain in a current forest.  Windows 2003 native.  I had a member of the "Domain Users" group tell me that they joined a computer to a domain.  I did not think this was possible either so I tested it with a dummy acount - that has no other group memberships except to "Domain Users" and it allowed me to join a computer to the domain.  After doing some research and digging I found that on the "Default Domain Controller" GPO under Windows Settings->Sercurity Settings-> Local Policies->User Rights assignment there is and option called "Add workstations to domain".  By default the "Authenticated Users" group was in the properties of that object.  I removed "Authenticated Users" from that object.  I made sure that AD Replicated and tried again and was able to add another PC to the domain with the dummy account.  So my question is how to stop all user accounts (except the Domain Admins) from joining computer accounts to the domain.  I hope that clears up the confusion a bit.  I also posted on Microsoft's newsgroups to see if there was someone who knew the answer there.

Frank
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16896078
Oh ok. Did you look at the link provided above by FriarTuk ? In there, go to the method 3 and try to set the quota value to 0 and see if it helps.

Cheers,
Rajesh
0
 
LVL 14

Expert Comment

by:FriarTuk
ID: 16899819
thx, as that is what i was referring to as well as reversing method 2 by unchecking those options for authenticated users
0
 

Author Comment

by:CarrBusinessSystems
ID: 16910971
Sorry I did not get to post yesterday but I tried Method 3 and that did the trick.  Thanks for your help guys.

Frank
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16911128
Glad you got it fixed.

Cheers,
Rajesh
0
 
LVL 14

Accepted Solution

by:
FriarTuk earned 125 total points
ID: 16919301
that's great!  now to close you can accept my comment with the link as the answer - http://www.experts-exchange.com/help.jsp#hi68
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now