Solved

DENY ADD COMPUTERS TO DOMAIN

Posted on 2007-11-29
11
994 Views
Last Modified: 2008-07-03
I want to only allow just two domain adminstrator accounts to be able to add computers to the domain, be it from the workstation itself or from an answer file during desktop deployment (RIS, WDS etc). I have removed 'authenticated users' from my 'default domain controller policy' 'Add workstations to domain' and left just Domain Admins but any user can still add computers to domain and authenticate WDS installs.
Is there another policy I should set somewhere?
0
Comment
Question by:Pete
  • 5
  • 4
  • 2
11 Comments
 
LVL 23

Expert Comment

by:ormerodrutter
ID: 20372987
"any user can still add computers to domain"??
Users can only do so if they have the Domain Admin credentials!! So your option is to change the Domain Admin password and make sure only your Domain Administrators know the password, no one else.
0
 
LVL 16

Accepted Solution

by:
2PiFL earned 250 total points
ID: 20373068
1. From the Active Directory Users and Computers snap-in, click Advanced Features on the View menu so that the Security tab is exposed when you click Properties.  
2. Right-click the Computers container, and then click Properties.
3. On the Security tab, click Advanced.
4. On the Permissions tab, click Authenticated Users, and then click View/Edit.

NOTE: If the Authenticated Users group is not listed, click Add and add it to the list of permission entries.
5. Make sure the This object and all child objects option is displayed in the Apply onto box.
6. From the Permissions box, click to select the Deny check box next to the Create Computer Objects and Delete Computer Objects ACEs, and then click OK.  
0
 
LVL 1

Author Comment

by:Pete
ID: 20373580
Thanks 2PiFL I have accepted your answer but further testing shows that during my WDS installs domain users can still type in their Un and PW and allow the install to carry on, join the machine to the domain etc.
Any further thoughts?
0
 
LVL 16

Expert Comment

by:2PiFL
ID: 20373691
It will take a period of time to propigate the change.  I usually wait a day.  Let me know if it still doesn't work tomorrow.
0
 
LVL 23

Expert Comment

by:ormerodrutter
ID: 20373836
Check if the domain user(s) is/are in the Domain Admin group.
0
 
LVL 16

Expert Comment

by:2PiFL
ID: 20376811
You may need to do this:
Override the Default Limit of the Number of Computers an Authenticated User Can Join to a Domain:

Use the Ldp (Ldp.exe) tool included in the Microsoft Windows 2000 Resource Kit.

Install the Windows 2000 Support tools if they have not already been installed. To install these tools, run Setup.exe from the Support\Tools folder on the Windows 2000 Server or the Windows 2000 Professional CD-ROM.  

2. Run Adsiedit.msc as an administrator of the domain.  

3. Expand the Domain NC node. This node contains an object that begins with "DC=" and reflects the correct domain name. Right-click this object, and then click Properties.

4. In the Select which properties to view box, click Both.
 
5. In the Select a property to view box, click ms-DS-MachineAccountQuota.

6. In the Edit Attribute box, enter 0. This number represents the number of workstations that you want users to be able to maintain concurrently.

7. Click Set, and then click OK.  
0
 
LVL 1

Author Comment

by:Pete
ID: 20378609
thanks, I have made the change, will report back tomorrow.
0
 
LVL 1

Author Comment

by:Pete
ID: 20380587
mmm....now when I try and join a computer to the domain using my 'setup' account. (member of domain admins, domain users, administrators) I get the error message:

"you have exceeded the maximum number of compter accounts you are allowed to ctreate in this domain"

0
 
LVL 1

Author Comment

by:Pete
ID: 20380652
In fact even my domain\administrator account gets this message when trying to joing a computer to domain....is it because authenticated users have no access now and my users (including domain admins) are members of authenticated users?

I have added both my setup and domain account to have 'create\delete computer objects' permission on the 'computers container'. No change.
0
 
LVL 16

Expert Comment

by:2PiFL
ID: 20381412
Weird.  Mine is setup that way and it works.

Try this:  Remove the Deny permission from Authenticated Users and check that they only have these permissions:

List Content
Read All Properties
Read Permissions.

Document all your changes so you can get back to where you started if necessary.
0
 
LVL 1

Author Comment

by:Pete
ID: 20382133
Ok, that seems to have fixed it.

Thanks for all your help.
0

Join & Write a Comment

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now