Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Adding a computer to a domain - best practice.

Posted on 2011-03-17
6
Medium Priority
?
446 Views
Last Modified: 2012-05-11
When adding a computer to a domain what is the proper way?

When asked to enter a username and password - if I enter the admin, I am only using the admin account because it has priviliges to add a computer to the domain right?
Will any of the admin rights be giving to the computer?
0
Comment
Question by:swedishmotors
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 1000 total points
ID: 35157559
No.  It is actually using admin rights to modify AD and create the computer object in AD and establish a trust.  Your computer will add Domain Admins to its local Administrators group.
0
 
LVL 1

Author Comment

by:swedishmotors
ID: 35157620
To clarify:
No.  No admin rights are giving to the joing computer object if the object is added by the admin.  It is actually using admin rights to modify AD and create the computer object in AD and establish a trust.  

Your computer will add Domain Admins to its local Administrators group. The admin account from the AD will be added to the computer being added to AD.

Does this also mean I can not log onto the computer itself with the domain's admin account?
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 1000 total points
ID: 35157678
Not at all.  It means your computer is granting local administrative privileges to any domain members who are in the Domain Admins group and using their AD Accounts.  You should be able to log in with both account types: elevated access and normal access.

DrUltima
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 57

Expert Comment

by:Mike Kline
ID: 35157721
Just an added note by default users can add 10 machines to the domain.  that can be changed   http://blogs.technet.com/b/jhoward/archive/2005/04/18/403817.aspx?wa=wsignin1.0 

...but out of the box a "regular" user can also add a machine.

Thanks

Mike
0
 
LVL 1

Author Comment

by:swedishmotors
ID: 35157770
I still do not understand.

When I add a computer to the domain should I use the admin account? If so does the computer inherit any admin privileges.

Or should I use the account of the person that will be using the computer?  Then does the computer inherit that user privileges?
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 1000 total points
ID: 35157833
As Mike pointed out, in a non-modified AD install, standard users can add 10 computers to the domain.  So, if your user has never added a computer to the domain, it does not require administrative access to the domain.  It WOULD require administrative access to the computer to make this change, though.

When a computer is joined to the domain, it adds the Domain Admins group (from the domain) into its local Administrators group, thus granting administrative access to the local machine to any user in the Domain Admins group.

Best practice is to lock down AD so that standard users cannot join to the domain.  If this is done, it would require an administrative (domain) account to join to the domain, or at least an account which had been delegated those rights.

DrUltima
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question