Solved

How to prevent users to add a workstation joining the domain without domain admin right

Posted on 2015-01-27
8
207 Views
Last Modified: 2015-01-28
How to prevent users to add a workstation joining the domain without domain admin right
0
Comment
Question by:helpdesk_wlk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40572859
One must have either belong to the Domain Administrators group or have been delegated extra privileges of his or her Organizational Unit by a Domain Administrator to add a workstation to the domain.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40572861
I am not sure I understand entirely. A user CANNOT add a workstation to a domain. A domain Administrator must do this. Once added, a user can log on, of course.
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40572874
John: Although I doubt this is the case here, a DA can delegate a non-DA rights to add workstations and users to a particular OU, making that user an organizational unit administrator.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 95

Expert Comment

by:John Hurst
ID: 40572892
I was assuming a random Joe user in my post, not a special user delegated the authority to add. Thank you for the clarification.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40572897
The  "Add workstation to domain"  by default set to Authenticated Users on the Default Domain Controllers policy. You need to modify this and remove authenticated users. An Authenticated User (if this policy is enabled) has the rights to add 10 domain computers before getting access denied. This is due to mS-DS-MachineAccountQuota attribute in Active Directory.

If you want to allow users to add machines to the domain without being a domain admin this is also possible.

The following permissions are required to add a machine to the domain without being a domain admin...
Reset Password
Validated write to DNS host name
Validated write to service principal name
Write Account Restrictions

So the answer is you need to modify the permissions on the default domain controllers policy and remove authenticated users.

John: by default Authenticated Users can add up to 10 machines to the domain before getting access denied unless this policy has been changed to not allow this.

Will.
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40572904
It's a safe assumption, but it's safer yet to not make assumptions :)
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40572911
I do not have authenticated users on my servers (I do not need them). That is why I answered the way I did. I do understand what you have said. Thank you.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40572913
Also Take a look at the following link which outlines how to modify the Default Domain Policy.
Default Domain Controllers Policy

Will.
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario: Your operations manager has discovered an anomaly in your security system. The business will start to suffer within 15 minutes if it is a major IT incident. What should she do? We have 6 recommendations for managing major incidents (https:…
Note: This is the second blog post in a series on email clearinghouses (https://www.xmatters.com/alert-management/blog-email-has-failed-us?utm_campaign=70138000000ydLoAAI&utm_source=exex&utm_medium=article&utm_content=blog-post).   Every month t…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question