Solved

Adding a computer to a domain - best practice.

Posted on 2011-03-17
6
440 Views
Last Modified: 2012-05-11
When adding a computer to a domain what is the proper way?

When asked to enter a username and password - if I enter the admin, I am only using the admin account because it has priviliges to add a computer to the domain right?
Will any of the admin rights be giving to the computer?
0
Comment
Question by:swedishmotors
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 250 total points
ID: 35157559
No.  It is actually using admin rights to modify AD and create the computer object in AD and establish a trust.  Your computer will add Domain Admins to its local Administrators group.
0
 
LVL 1

Author Comment

by:swedishmotors
ID: 35157620
To clarify:
No.  No admin rights are giving to the joing computer object if the object is added by the admin.  It is actually using admin rights to modify AD and create the computer object in AD and establish a trust.  

Your computer will add Domain Admins to its local Administrators group. The admin account from the AD will be added to the computer being added to AD.

Does this also mean I can not log onto the computer itself with the domain's admin account?
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 250 total points
ID: 35157678
Not at all.  It means your computer is granting local administrative privileges to any domain members who are in the Domain Admins group and using their AD Accounts.  You should be able to log in with both account types: elevated access and normal access.

DrUltima
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 57

Expert Comment

by:Mike Kline
ID: 35157721
Just an added note by default users can add 10 machines to the domain.  that can be changed   http://blogs.technet.com/b/jhoward/archive/2005/04/18/403817.aspx?wa=wsignin1.0 

...but out of the box a "regular" user can also add a machine.

Thanks

Mike
0
 
LVL 1

Author Comment

by:swedishmotors
ID: 35157770
I still do not understand.

When I add a computer to the domain should I use the admin account? If so does the computer inherit any admin privileges.

Or should I use the account of the person that will be using the computer?  Then does the computer inherit that user privileges?
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 250 total points
ID: 35157833
As Mike pointed out, in a non-modified AD install, standard users can add 10 computers to the domain.  So, if your user has never added a computer to the domain, it does not require administrative access to the domain.  It WOULD require administrative access to the computer to make this change, though.

When a computer is joined to the domain, it adds the Domain Admins group (from the domain) into its local Administrators group, thus granting administrative access to the local machine to any user in the Domain Admins group.

Best practice is to lock down AD so that standard users cannot join to the domain.  If this is done, it would require an administrative (domain) account to join to the domain, or at least an account which had been delegated those rights.

DrUltima
0

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question