SigSupport
asked on
Who can add computer to a domain (windows 2003)???
Hi,
I'm reading this technet and it makes no senses, it says any users can add computers to a domain??
http://technet.microsoft.com/en-us/library/cc780195%28WS.10%29.aspx
And this one too?
http://technet.microsoft.com/en-us/library/cc781364%28WS.10%29.aspx
"By default, Authenticated Users in a domain are assigned the Add workstations to a domain user right and can create up to 10 computer accounts in the domain. For more information, see Related Topics."
I tried it with a simple domain user and it doesn't work, and I DON'T SEE why Microsoft would permit any user to add computers on the domain. That's a security hole and it's an open door to screw licenses accounting. The IT dept need to buy licenses for connected computers on a domain, if users can add thousands of computer how can we keep the counts, and keep AD structure clean? And who would want a user to bring his home computer and put it on the corporate network????
tx!
I'm reading this technet and it makes no senses, it says any users can add computers to a domain??
http://technet.microsoft.com/en-us/library/cc780195%28WS.10%29.aspx
And this one too?
http://technet.microsoft.com/en-us/library/cc781364%28WS.10%29.aspx
"By default, Authenticated Users in a domain are assigned the Add workstations to a domain user right and can create up to 10 computer accounts in the domain. For more information, see Related Topics."
I tried it with a simple domain user and it doesn't work, and I DON'T SEE why Microsoft would permit any user to add computers on the domain. That's a security hole and it's an open door to screw licenses accounting. The IT dept need to buy licenses for connected computers on a domain, if users can add thousands of computer how can we keep the counts, and keep AD structure clean? And who would want a user to bring his home computer and put it on the corporate network????
tx!
It is true. Most IT departments disable this feature and only allow managed machines to be created.
by default it is 10 like the TechNet article states. That can be changed if you don't want that to be the case
http://blogs.technet.com/b/jhoward/archive/2005/04/18/403817.aspx?wa=wsignin1.0
Thanks
Mike
http://blogs.technet.com/b/jhoward/archive/2005/04/18/403817.aspx?wa=wsignin1.0
Thanks
Mike
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Simpsol,
I red your link and since on my domain normal users cannot add computers on the domain, I am trying why?
The link tells of 2 things the GPO and the Computer folder in AD.
On my Default Dmain Controllers Policy GPO I can see that MYDOMAIN\Domain Admins, Authenticated Users are in there, so sounds like users would be able to add 10 stations? no?
But on the Computer folder in AD, the only rights Authenticated Users have are List Contents, Read All Properties, Read Permissions.
So by what I understand, is users don't have create object on the Computer folder, because of the GPO they should be able to create computers up to 10? no?
Then why cannot they add any station (which I don't mind just looking to understand).
tx!
I red your link and since on my domain normal users cannot add computers on the domain, I am trying why?
The link tells of 2 things the GPO and the Computer folder in AD.
On my Default Dmain Controllers Policy GPO I can see that MYDOMAIN\Domain Admins, Authenticated Users are in there, so sounds like users would be able to add 10 stations? no?
But on the Computer folder in AD, the only rights Authenticated Users have are List Contents, Read All Properties, Read Permissions.
So by what I understand, is users don't have create object on the Computer folder, because of the GPO they should be able to create computers up to 10? no?
Then why cannot they add any station (which I don't mind just looking to understand).
tx!
Someone probably altered the permissions on your Computers container to prevent users from being able to add computer accounts.
That functionality was included so machines could be pre-created in AD, permissions on the appropriate OU where it was pre-created would allow people with those permissions to add it to the domain while sitting in front of the client. So, while it is possible for anyone to add machines, they need permissions to either create objects in AD or update a specific container.
ASKER
Lee YCP,
That sounds interesting but can you clarify. What I understood is that if an admin adds a computer, say computer1, under COMPUTERS in AD. Then the user, simple domain user, sitting in front can add his computer to the domain???
And you say that : while it is possible for anyone to add machines, they need permissions to either create objects in AD or update a specific container
What does that means? How can add machines if they cannot add machines?
That sounds interesting but can you clarify. What I understood is that if an admin adds a computer, say computer1, under COMPUTERS in AD. Then the user, simple domain user, sitting in front can add his computer to the domain???
And you say that : while it is possible for anyone to add machines, they need permissions to either create objects in AD or update a specific container
What does that means? How can add machines if they cannot add machines?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
clarification on the last sentence:
"but domain\Joe_User could be in the administrators group"
should have been:
"but domain\Joe_User could be in the local administrators group."
"but domain\Joe_User could be in the administrators group"
should have been:
"but domain\Joe_User could be in the local administrators group."