[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Active directory: Deny write to "Computers" container

Posted on 2006-11-26
5
Medium Priority
?
462 Views
Last Modified: 2010-04-18
Hi,

I've configured delegations for all sites admins over each of their perspective OU's.
non of them is a Domain Admins members.

Any system admin knows that he need to create the computer account in his OU prior to joining the macine to the domain.
Still, anyone that just join a computer to the domain, the compter acount being written to the "computers" container.

I wanna block the ability to write anything in that container.

I removed all permissions from the container, the only one that has access right now are "Domain Admins, System, enterprise Admins"

Users still have the option to join the machine to the domain.

Do I have any other option for that?

Thanx.
0
Comment
Question by:EERetUser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 6

Accepted Solution

by:
NadeemV earned 750 total points
ID: 18014020
Hi There,

You need to remove a setting from the Domain Controllers Security Policy.

Navigate down into User Rights Assignment and locate the right for "Add workstations to the Domain".

You will see that authenticated Users have the right to add workstations.

This is by Design in Windows 2003 so that users of XP workstations can add their own machines to the domain. All users have the ability to add 10 workstations using their own credentials. ie: you do not need to be an administrator to add a workstation to the domain. Some look at this as a security weakness and like to disable it in the security policy.

Regards,

NadeemV
0
 

Author Comment

by:EERetUser
ID: 18014063
Thanx, I'll check this option,
0
 
LVL 51

Expert Comment

by:Netman66
ID: 18014148
The Computers container is not an OU and therefore is treated differently.

What you can do, is redirect the default container to an OU where you can block this *feature*.

http://technet2.microsoft.com/WindowsServer/en/library/1919bb9f-adc9-4b7b-82f0-9bcaead3b81e1033.mspx?mfr=true
0
 

Author Comment

by:EERetUser
ID: 18387580
NetMan, thanx, very interesting option, but I think NadeemV answer will be better for my case.

Thanx
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question