Avatar of Teargas
Teargas
Flag for Germany asked on

Default User can Join Machines to AD

Hello EE,

i've a question, can someone please explain me the Process how normal users can join machines to AD.
As far i can tell from my research users are via default able to join 10 machines to the domain and that the user who joins the domain is entered into the MS-DS-Creator-SID of the machine AD account.

http://support.microsoft.com/en-us/kb/243327
https://msdn.microsoft.com/en-us/library/ms678637%28v=vs.85%29.aspx
https://msdn.microsoft.com/en-us/library/bb727067.aspx

The question is, if user X joins machine ABC, a rejoin of machine ABC is needed why can't user Y then join the machine ABC, its like its blocked that only user X can now join the machine.

can someone explain the process to me how it all works since i looked into the AD and tested it and it seems that not always the SID of the user who joined the machine is entered in the MS-DS-Creator-SID and not always listed as owner in the security section, so i get confused why the machine is blocked for other users for rejoin purposes...
Active DirectoryWindows Server 2008Microsoft Server OS

Avatar of undefined
Last Comment
Will Szymkowski

8/22/2022 - Mon
Qlemo

Only domain admins can add machines to AD. Only local admins can change domain membership on a PC. So no clue what you are talking about.
Teargas

ASKER
per default authenticated users to join ten machine accounts to the domain @qlemo.
Qlemo

Definitely no. Noone is allowed to perform changes on AD besides changing the own password, and with exception of domain admins. Adding machines to a domain is a security issue.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Teargas

ASKER
hmm ok then in this enviroment i'm in normal users can perform AD join of machines , so then someone enabled it via gpo, i just readed it that this would be default setting after reading http://support.microsoft.com/en-us/kb/243327

in the end, i don't know why the user who joined the AD object is kinda fixed and is blocking the object to get joined later by an other user.

since if the process would be > user joins machine in AD > user SID gets entered as owner in security and as MS-DS-Creator-SID it would be fine but i tested it several times and it was not consistent, sometimes the owner is blank or the ms-creator-sid but still not able to join with a different user as the user who originally joined the machine...

that normally only domain admins should be able to do it is understandable but for now i can't change it, i just want to understand the process.
ASKER CERTIFIED SOLUTION
Will Szymkowski

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Teargas

ASKER
Hi Will,

thank you for your answer, that the AD Machineaccount gets put into disabled i could see but it seems the user X who joined the machine can rejoin it and therefor has to have write permissions but, why can user X rejoin the machine but not user Y and why sometimes the ms-ds-creater SID is filled with user X SID and sometimes not?

thats what i can't get my head around... that it's not consistent, sometimes SID is written, sometimes not and if ms-ds-creator SID is not listed in the attr of the machine's AD account its not possible to join it with an other user.

btw where is the ms-DS-MachineAccountQuota listed? can't see it in AD underneath my account or machine account.
Dhaval Pandya

I think you need to reset the computer account in AD User&Computer tool, and then try to rejoin it.

Also ms-ds-creator SID isn’t set if the user has domain admin permissions or has been delegated the permission to create objects. like "Add workstation to domain"
So when admin creates an object or join a computer, ms-ds-creator SID field is blank , if you still want it then enable Auditing to capture it.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Will Szymkowski

but it seems the user X who joined the machine can rejoin it and therefor has to have write permissions

When User X has added the computer account initially to the domain they have add/remove rights to this particular machine, in question. You will be able to see this info if you look at the security tab on the properties of the computer object itself.

Other domain admins permissions are also added because they are inherited from the domain.com hierarchy.

This is why User Y does not have access add/remove User X computer object because these initial permissions where applied to the account that joined the machine to the domain.

Another scenario is where the computer object is located in Active Directory. If it is located in the default computers container then they will be able to add/remove this specific machine from the domain. However, if you move the computer object to an OU where the user does not have permissions they will not be able to remove the machine from the domain because the computer object inherits the permissions from the OU and it will change the default permissions that were applied when the machine was added to the domain. User x will not be able to remove the machine.

You can also test the above by checking the security of the machine after it has been applied.

Will.