Active directory: Deny write to "Computers" container
Posted on 2006-11-26
I've configured delegations for all sites admins over each of their perspective OU's.
non of them is a Domain Admins members.
Any system admin knows that he need to create the computer account in his OU prior to joining the macine to the domain.
Still, anyone that just join a computer to the domain, the compter acount being written to the "computers" container.
I wanna block the ability to write anything in that container.
I removed all permissions from the container, the only one that has access right now are "Domain Admins, System, enterprise Admins"
Users still have the option to join the machine to the domain.
Do I have any other option for that?