I want to only allow just two domain adminstrator accounts to be able to add computers to the domain, be it from the workstation itself or from an answer file during desktop deployment (RIS, WDS etc). I have removed 'authenticated users' from my 'default domain controller policy' 'Add workstations to domain' and left just Domain Admins but any user can still add computers to domain and authenticate WDS installs.
Is there another policy I should set somewhere?
Who is Participating?
2PiFLConnect With a Mentor Commented:
1. From the Active Directory Users and Computers snap-in, click Advanced Features on the View menu so that the Security tab is exposed when you click Properties.  
2. Right-click the Computers container, and then click Properties.
3. On the Security tab, click Advanced.
4. On the Permissions tab, click Authenticated Users, and then click View/Edit.

NOTE: If the Authenticated Users group is not listed, click Add and add it to the list of permission entries.
5. Make sure the This object and all child objects option is displayed in the Apply onto box.
6. From the Permissions box, click to select the Deny check box next to the Create Computer Objects and Delete Computer Objects ACEs, and then click OK.  
"any user can still add computers to domain"??
Users can only do so if they have the Domain Admin credentials!! So your option is to change the Domain Admin password and make sure only your Domain Administrators know the password, no one else.
PeteAuthor Commented:
Thanks 2PiFL I have accepted your answer but further testing shows that during my WDS installs domain users can still type in their Un and PW and allow the install to carry on, join the machine to the domain etc.
Any further thoughts?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

It will take a period of time to propigate the change.  I usually wait a day.  Let me know if it still doesn't work tomorrow.
Check if the domain user(s) is/are in the Domain Admin group.
You may need to do this:
Override the Default Limit of the Number of Computers an Authenticated User Can Join to a Domain:

Use the Ldp (Ldp.exe) tool included in the Microsoft Windows 2000 Resource Kit.

Install the Windows 2000 Support tools if they have not already been installed. To install these tools, run Setup.exe from the Support\Tools folder on the Windows 2000 Server or the Windows 2000 Professional CD-ROM.  

2. Run Adsiedit.msc as an administrator of the domain.  

3. Expand the Domain NC node. This node contains an object that begins with "DC=" and reflects the correct domain name. Right-click this object, and then click Properties.

4. In the Select which properties to view box, click Both.
5. In the Select a property to view box, click ms-DS-MachineAccountQuota.

6. In the Edit Attribute box, enter 0. This number represents the number of workstations that you want users to be able to maintain concurrently.

7. Click Set, and then click OK.  
PeteAuthor Commented:
thanks, I have made the change, will report back tomorrow.
PeteAuthor Commented: when I try and join a computer to the domain using my 'setup' account. (member of domain admins, domain users, administrators) I get the error message:

"you have exceeded the maximum number of compter accounts you are allowed to ctreate in this domain"

PeteAuthor Commented:
In fact even my domain\administrator account gets this message when trying to joing a computer to it because authenticated users have no access now and my users (including domain admins) are members of authenticated users?

I have added both my setup and domain account to have 'create\delete computer objects' permission on the 'computers container'. No change.
Weird.  Mine is setup that way and it works.

Try this:  Remove the Deny permission from Authenticated Users and check that they only have these permissions:

List Content
Read All Properties
Read Permissions.

Document all your changes so you can get back to where you started if necessary.
PeteAuthor Commented:
Ok, that seems to have fixed it.

Thanks for all your help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.