Adding a computer to a domain - best practice.

When adding a computer to a domain what is the proper way?

When asked to enter a username and password - if I enter the admin, I am only using the admin account because it has priviliges to add a computer to the domain right?
Will any of the admin rights be giving to the computer?
LVL 1
swedishmotorsAsked:
Who is Participating?
 
Justin OwensConnect With a Mentor ITIL Problem ManagerCommented:
As Mike pointed out, in a non-modified AD install, standard users can add 10 computers to the domain.  So, if your user has never added a computer to the domain, it does not require administrative access to the domain.  It WOULD require administrative access to the computer to make this change, though.

When a computer is joined to the domain, it adds the Domain Admins group (from the domain) into its local Administrators group, thus granting administrative access to the local machine to any user in the Domain Admins group.

Best practice is to lock down AD so that standard users cannot join to the domain.  If this is done, it would require an administrative (domain) account to join to the domain, or at least an account which had been delegated those rights.

DrUltima
0
 
Justin OwensConnect With a Mentor ITIL Problem ManagerCommented:
No.  It is actually using admin rights to modify AD and create the computer object in AD and establish a trust.  Your computer will add Domain Admins to its local Administrators group.
0
 
swedishmotorsAuthor Commented:
To clarify:
No.  No admin rights are giving to the joing computer object if the object is added by the admin.  It is actually using admin rights to modify AD and create the computer object in AD and establish a trust.  

Your computer will add Domain Admins to its local Administrators group. The admin account from the AD will be added to the computer being added to AD.

Does this also mean I can not log onto the computer itself with the domain's admin account?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Justin OwensConnect With a Mentor ITIL Problem ManagerCommented:
Not at all.  It means your computer is granting local administrative privileges to any domain members who are in the Domain Admins group and using their AD Accounts.  You should be able to log in with both account types: elevated access and normal access.

DrUltima
0
 
Mike KlineCommented:
Just an added note by default users can add 10 machines to the domain.  that can be changed   http://blogs.technet.com/b/jhoward/archive/2005/04/18/403817.aspx?wa=wsignin1.0 

...but out of the box a "regular" user can also add a machine.

Thanks

Mike
0
 
swedishmotorsAuthor Commented:
I still do not understand.

When I add a computer to the domain should I use the admin account? If so does the computer inherit any admin privileges.

Or should I use the account of the person that will be using the computer?  Then does the computer inherit that user privileges?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.