?
Solved

Adding a computer to a domain - best practice.

Posted on 2011-03-17
6
Medium Priority
?
441 Views
Last Modified: 2012-05-11
When adding a computer to a domain what is the proper way?

When asked to enter a username and password - if I enter the admin, I am only using the admin account because it has priviliges to add a computer to the domain right?
Will any of the admin rights be giving to the computer?
0
Comment
Question by:swedishmotors
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 1000 total points
ID: 35157559
No.  It is actually using admin rights to modify AD and create the computer object in AD and establish a trust.  Your computer will add Domain Admins to its local Administrators group.
0
 
LVL 1

Author Comment

by:swedishmotors
ID: 35157620
To clarify:
No.  No admin rights are giving to the joing computer object if the object is added by the admin.  It is actually using admin rights to modify AD and create the computer object in AD and establish a trust.  

Your computer will add Domain Admins to its local Administrators group. The admin account from the AD will be added to the computer being added to AD.

Does this also mean I can not log onto the computer itself with the domain's admin account?
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 1000 total points
ID: 35157678
Not at all.  It means your computer is granting local administrative privileges to any domain members who are in the Domain Admins group and using their AD Accounts.  You should be able to log in with both account types: elevated access and normal access.

DrUltima
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 35157721
Just an added note by default users can add 10 machines to the domain.  that can be changed   http://blogs.technet.com/b/jhoward/archive/2005/04/18/403817.aspx?wa=wsignin1.0 

...but out of the box a "regular" user can also add a machine.

Thanks

Mike
0
 
LVL 1

Author Comment

by:swedishmotors
ID: 35157770
I still do not understand.

When I add a computer to the domain should I use the admin account? If so does the computer inherit any admin privileges.

Or should I use the account of the person that will be using the computer?  Then does the computer inherit that user privileges?
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 1000 total points
ID: 35157833
As Mike pointed out, in a non-modified AD install, standard users can add 10 computers to the domain.  So, if your user has never added a computer to the domain, it does not require administrative access to the domain.  It WOULD require administrative access to the computer to make this change, though.

When a computer is joined to the domain, it adds the Domain Admins group (from the domain) into its local Administrators group, thus granting administrative access to the local machine to any user in the Domain Admins group.

Best practice is to lock down AD so that standard users cannot join to the domain.  If this is done, it would require an administrative (domain) account to join to the domain, or at least an account which had been delegated those rights.

DrUltima
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question