Link to home
Start Free TrialLog in
Avatar of SigSupport
SigSupport

asked on

Who can add computer to a domain (windows 2003)???

Hi,
I'm reading this technet and it makes no senses, it says any users can add computers to a domain??
http://technet.microsoft.com/en-us/library/cc780195%28WS.10%29.aspx

And this one too?
http://technet.microsoft.com/en-us/library/cc781364%28WS.10%29.aspx
"By default, Authenticated Users in a domain are assigned the Add workstations to a domain user right and can create up to 10 computer accounts in the domain. For more information, see Related Topics."

I tried it with a simple domain user and it doesn't work, and I DON'T SEE why Microsoft would permit any user to add computers on the domain. That's a security hole and it's an open door to screw licenses accounting. The IT dept need to buy licenses for connected computers on a domain, if users can add thousands of computer how can we keep the counts, and keep AD structure clean? And who would want a user to bring his home computer and put it on the corporate network????

tx!
Avatar of Joseph Moody
Joseph Moody
Flag of United States of America image

It is true. Most IT departments disable this feature and only allow managed machines to be created.
by default it is 10 like the TechNet  article states.  That can be changed if you don't want that to be the case  

http://blogs.technet.com/b/jhoward/archive/2005/04/18/403817.aspx?wa=wsignin1.0

Thanks

Mike
SOLUTION
Avatar of simpsol
simpsol
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of SigSupport
SigSupport

ASKER

Simpsol,
I red your link and since on my domain normal users cannot add computers on the domain, I am trying why?
The link tells of 2 things the GPO and the Computer folder in AD.
On my Default Dmain Controllers Policy GPO I can see that MYDOMAIN\Domain Admins, Authenticated Users are in there, so sounds like users would be able to add 10 stations? no?
But on the Computer folder in AD, the only rights Authenticated Users have are List Contents, Read All Properties, Read Permissions.
So by what I understand, is users don't have create object on the Computer folder, because of the GPO they should be able to create computers up to 10? no?
Then why cannot they add any station (which I don't mind just looking to understand).
tx!
Someone probably altered the permissions on your Computers container to prevent users from being able to add computer accounts.
That functionality was included so machines could be pre-created in AD, permissions on the appropriate OU where it was pre-created would allow people with those permissions to add it to the domain while sitting in front of the client.  So, while it is possible for anyone to add machines, they need permissions to either create objects in AD or update a specific container.
Lee YCP,
That sounds interesting but can you clarify. What I understood is that if an admin adds a computer, say computer1, under COMPUTERS in AD. Then the user, simple domain user, sitting in front can add his computer to the domain???

And you say that : while it is possible for anyone to add machines, they need permissions to either create objects in AD or update a specific container
What does that means? How can add machines if they cannot add machines?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
clarification on the last sentence:
"but domain\Joe_User could be in the administrators group"
should have been:
"but domain\Joe_User could be in the local administrators group."