• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 229
  • Last Modified:

How to prevent users to add a workstation joining the domain without domain admin right

How to prevent users to add a workstation joining the domain without domain admin right
0
helpdesk_wlk
Asked:
helpdesk_wlk
  • 3
  • 3
  • 2
1 Solution
 
R. Toby RichardsNetwork AdministratorCommented:
One must have either belong to the Domain Administrators group or have been delegated extra privileges of his or her Organizational Unit by a Domain Administrator to add a workstation to the domain.
0
 
JohnBusiness Consultant (Owner)Commented:
I am not sure I understand entirely. A user CANNOT add a workstation to a domain. A domain Administrator must do this. Once added, a user can log on, of course.
0
 
R. Toby RichardsNetwork AdministratorCommented:
John: Although I doubt this is the case here, a DA can delegate a non-DA rights to add workstations and users to a particular OU, making that user an organizational unit administrator.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
JohnBusiness Consultant (Owner)Commented:
I was assuming a random Joe user in my post, not a special user delegated the authority to add. Thank you for the clarification.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
The  "Add workstation to domain"  by default set to Authenticated Users on the Default Domain Controllers policy. You need to modify this and remove authenticated users. An Authenticated User (if this policy is enabled) has the rights to add 10 domain computers before getting access denied. This is due to mS-DS-MachineAccountQuota attribute in Active Directory.

If you want to allow users to add machines to the domain without being a domain admin this is also possible.

The following permissions are required to add a machine to the domain without being a domain admin...
Reset Password
Validated write to DNS host name
Validated write to service principal name
Write Account Restrictions

So the answer is you need to modify the permissions on the default domain controllers policy and remove authenticated users.

John: by default Authenticated Users can add up to 10 machines to the domain before getting access denied unless this policy has been changed to not allow this.

Will.
0
 
R. Toby RichardsNetwork AdministratorCommented:
It's a safe assumption, but it's safer yet to not make assumptions :)
0
 
JohnBusiness Consultant (Owner)Commented:
I do not have authenticated users on my servers (I do not need them). That is why I answered the way I did. I do understand what you have said. Thank you.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Also Take a look at the following link which outlines how to modify the Default Domain Policy.
Default Domain Controllers Policy

Will.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now