Solved

Adding a computer to a domain - best practice.

Posted on 2011-03-17
6
416 Views
Last Modified: 2012-05-11
When adding a computer to a domain what is the proper way?

When asked to enter a username and password - if I enter the admin, I am only using the admin account because it has priviliges to add a computer to the domain right?
Will any of the admin rights be giving to the computer?
0
Comment
Question by:swedishmotors
  • 3
  • 2
6 Comments
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 250 total points
ID: 35157559
No.  It is actually using admin rights to modify AD and create the computer object in AD and establish a trust.  Your computer will add Domain Admins to its local Administrators group.
0
 
LVL 1

Author Comment

by:swedishmotors
ID: 35157620
To clarify:
No.  No admin rights are giving to the joing computer object if the object is added by the admin.  It is actually using admin rights to modify AD and create the computer object in AD and establish a trust.  

Your computer will add Domain Admins to its local Administrators group. The admin account from the AD will be added to the computer being added to AD.

Does this also mean I can not log onto the computer itself with the domain's admin account?
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 250 total points
ID: 35157678
Not at all.  It means your computer is granting local administrative privileges to any domain members who are in the Domain Admins group and using their AD Accounts.  You should be able to log in with both account types: elevated access and normal access.

DrUltima
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 35157721
Just an added note by default users can add 10 machines to the domain.  that can be changed   http://blogs.technet.com/b/jhoward/archive/2005/04/18/403817.aspx?wa=wsignin1.0 

...but out of the box a "regular" user can also add a machine.

Thanks

Mike
0
 
LVL 1

Author Comment

by:swedishmotors
ID: 35157770
I still do not understand.

When I add a computer to the domain should I use the admin account? If so does the computer inherit any admin privileges.

Or should I use the account of the person that will be using the computer?  Then does the computer inherit that user privileges?
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 250 total points
ID: 35157833
As Mike pointed out, in a non-modified AD install, standard users can add 10 computers to the domain.  So, if your user has never added a computer to the domain, it does not require administrative access to the domain.  It WOULD require administrative access to the computer to make this change, though.

When a computer is joined to the domain, it adds the Domain Admins group (from the domain) into its local Administrators group, thus granting administrative access to the local machine to any user in the Domain Admins group.

Best practice is to lock down AD so that standard users cannot join to the domain.  If this is done, it would require an administrative (domain) account to join to the domain, or at least an account which had been delegated those rights.

DrUltima
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now