Default User can Join Machines to AD

Hello EE,

i've a question, can someone please explain me the Process how normal users can join machines to AD.
As far i can tell from my research users are via default able to join 10 machines to the domain and that the user who joins the domain is entered into the MS-DS-Creator-SID of the machine AD account.

http://support.microsoft.com/en-us/kb/243327
https://msdn.microsoft.com/en-us/library/ms678637%28v=vs.85%29.aspx
https://msdn.microsoft.com/en-us/library/bb727067.aspx

The question is, if user X joins machine ABC, a rejoin of machine ABC is needed why can't user Y then join the machine ABC, its like its blocked that only user X can now join the machine.

can someone explain the process to me how it all works since i looked into the AD and tested it and it seems that not always the SID of the user who joined the machine is entered in the MS-DS-Creator-SID and not always listed as owner in the security section, so i get confused why the machine is blocked for other users for rejoin purposes...
LVL 4
TeargasAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Only domain admins can add machines to AD. Only local admins can change domain membership on a PC. So no clue what you are talking about.
TeargasAuthor Commented:
per default authenticated users to join ten machine accounts to the domain @qlemo.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Definitely no. Noone is allowed to perform changes on AD besides changing the own password, and with exception of domain admins. Adding machines to a domain is a security issue.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

TeargasAuthor Commented:
hmm ok then in this enviroment i'm in normal users can perform AD join of machines , so then someone enabled it via gpo, i just readed it that this would be default setting after reading http://support.microsoft.com/en-us/kb/243327

in the end, i don't know why the user who joined the AD object is kinda fixed and is blocking the object to get joined later by an other user.

since if the process would be > user joins machine in AD > user SID gets entered as owner in security and as MS-DS-Creator-SID it would be fine but i tested it several times and it was not consistent, sometimes the owner is blank or the ms-creator-sid but still not able to join with a different user as the user who originally joined the machine...

that normally only domain admins should be able to do it is understandable but for now i can't change it, i just want to understand the process.
Will SzymkowskiSenior Solution ArchitectCommented:
@Qlemo -
Only domain admins can add machines to AD. Only local admins can change domain membership on a PC. So no clue what you are talking about.

The above statment is completely false. By default, an authenticated you CAN add up to 10 machiens to the domain. You can however block this feature via GPO (which i would recommend).

@Teargas -
The question is, if user X joins machine ABC, a rejoin of machine ABC is needed why can't user Y then join the machine ABC, its like its blocked that only user X can now join the machine.

The reason why is pretty straightforward. When a user adds a machine to the domain (which has never been added before) the new Computer Account gets created. Hence the MS-DS-Creator-SID attribute and also ms-DS-MachineAccountQuota.

This is part of the MS-DS-Creator-SID attribute. However, if the machines needs to be re-added to the domain, and the computer object still exists in Active Directory then this is why it fails.

When you remove a machine from the AD domain the computer account still exists, but it put in a Disabled State. When the user tries to re-join the machine to the domain it will try and use the same Computer account (which is disabled) because the name is the same.

At this point the user trying to add the machine back to the domain does not have the appropriate permissions on the computer Account that is in a Disabled state ,to do this. They need to have write permissions to this object.

So if an Administrator were to delete the disabled account after the user removed it from the domain the User should be able to re-join the machine to the domain (if they have not gone over their limit of 10 adds). This is because they are creating a brand new computer object, which they are allowed to do. They however cannot modify permissions on this account after it has been created which is why they cannot add the machine back to the domain because the object already exists and they do not have modify permissions.

Hopefully this makes sense.

Take a look at the below link for additonal details.
http://support.microsoft.com/en-us/kb/243327

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TeargasAuthor Commented:
Hi Will,

thank you for your answer, that the AD Machineaccount gets put into disabled i could see but it seems the user X who joined the machine can rejoin it and therefor has to have write permissions but, why can user X rejoin the machine but not user Y and why sometimes the ms-ds-creater SID is filled with user X SID and sometimes not?

thats what i can't get my head around... that it's not consistent, sometimes SID is written, sometimes not and if ms-ds-creator SID is not listed in the attr of the machine's AD account its not possible to join it with an other user.

btw where is the ms-DS-MachineAccountQuota listed? can't see it in AD underneath my account or machine account.
Dhaval PandyaExchange AdministratorCommented:
I think you need to reset the computer account in AD User&Computer tool, and then try to rejoin it.

Also ms-ds-creator SID isn’t set if the user has domain admin permissions or has been delegated the permission to create objects. like "Add workstation to domain"
So when admin creates an object or join a computer, ms-ds-creator SID field is blank , if you still want it then enable Auditing to capture it.
Will SzymkowskiSenior Solution ArchitectCommented:
but it seems the user X who joined the machine can rejoin it and therefor has to have write permissions

When User X has added the computer account initially to the domain they have add/remove rights to this particular machine, in question. You will be able to see this info if you look at the security tab on the properties of the computer object itself.

Other domain admins permissions are also added because they are inherited from the domain.com hierarchy.

This is why User Y does not have access add/remove User X computer object because these initial permissions where applied to the account that joined the machine to the domain.

Another scenario is where the computer object is located in Active Directory. If it is located in the default computers container then they will be able to add/remove this specific machine from the domain. However, if you move the computer object to an OU where the user does not have permissions they will not be able to remove the machine from the domain because the computer object inherits the permissions from the OU and it will change the default permissions that were applied when the machine was added to the domain. User x will not be able to remove the machine.

You can also test the above by checking the security of the machine after it has been applied.

Will.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.