?
Solved

Why all Domain Users can join their PC to the domain?

Posted on 2010-01-12
9
Medium Priority
?
603 Views
Last Modified: 2012-05-08
I just noticed that any user (Domain User) can join his/her PC to the domain and also change the machine name on the network.

We have a 2 domain controllers (Windows 2003 Standard Server)
0
Comment
Question by:kvelkhoury
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 26295373
Windows 2003 based AD allows this behavior by default, with a 10 computer limit. You can limit this in group policy security settings, local settings, user rights assignment.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1400 total points
ID: 26295387
By default they can actually join 10 machines to the domain
http://support.microsoft.com/default.aspx/kb/243327/en-us
You can change it (outlined in the article)
Thanks
Mike
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 26295389
The setting is "Add workstations to Domain"
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:kvelkhoury
ID: 26302061
Isn't there any other way other than what microsoft shows? Plus, how do I install the windows support tools on windows 2003? (In windows 2000 it was straight forward, but not sure on windows 2003?)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 26303903
You can download the support tools here  http://www.microsoft.com/downloads/details.aspx?familyid=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
They are also on the 2003 disck in the tools folder.
No other way other way that I know of
Thanks
Mike
0
 

Author Comment

by:kvelkhoury
ID: 26306963
Thanks mkline71, I will try it, but can someone give me a simpler explanation for not allowing domain users from joining computers to the domain?
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 600 total points
ID: 26307241
You can do the opposite mentioned in this article
 
http://www.infinitconsulting.com/News-Events/TechNotes/limit-workstations.html 
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 26307316
Easiest way would be to use the GPO setting in the Default Domain Controllers Policy:

Computer configuration, windows settings, security settings, Local Policies, User Rights Assignment "Add workstations to the domain"

Here remove the "Authenticated Users" and add only the security groups you like to have. At least domain administrators.
0
 

Author Comment

by:kvelkhoury
ID: 26335179
If I set the attribute "ms-DS-MachineAccountQuota" to zero, then does that mean the Domain Users will NOT be allowed to join PCs to the domain? Or does it mean that they can join unlimited joins?

In conclusion, what value do I set it up to?
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question