Restrict Employees from Joining the Domain

Hello,

I am running Active Directory and currently anyone can join a computer to our domain as long as you have valid domain credentials.
How do I restrict that so only an approved set of users can join a PC to the domain?  

Thank you!
zito2000Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tom CieslikIT EngineerCommented:
You cans set a limit of workstation that single user can add to domain.

https://support.microsoft.com/en-us/help/243327/default-limit-to-number-of-workstations-a-user-can-join-to-the-domain


If you'll set limit to 0 then you'll lock domain and prevent users to join computers to domain.
0
JohnBusiness Consultant (Owner)Commented:
I am running Active Directory and currently anyone can join a computer to our domain as long as you have valid domain credentials.

In addition to the above, stop this practice, change the domain admin password to a strong and secure password. No one but domain admins should have this password.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Sekar ChinnakannuStaff EngineerCommented:
Same can be done via delegation and enable same to specific set of users using AD groups https://prajwaldesai.com/allow-domain-user-to-add-computer-to-domain/
0
Shaun VermaakTechnical SpecialistCommented:
In addition to the above, stop this practice, change the domain admin password to a strong and secure password. No one but domain admins should have this password.
You are misunderstanding. Any normal user can join a device (limited to 10) as per ms-DS-MachineAccountQuota linked in above article

Delegation to allow a specific group can only be done after setting the value. If you do delegation, follow this principle
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
0
JohnBusiness Consultant (Owner)Commented:
I have not ever seen a normal user join a domain. It will always request Domain Credentials. That is my experience in any event.
1
Shaun VermaakTechnical SpecialistCommented:
Try it
0
JohnBusiness Consultant (Owner)Commented:
I have. No possible on any of our Server Systems.  As I noted, my experience here.
0
Shaun VermaakTechnical SpecialistCommented:
AddWorkstationsToDomain-1-.png
0
JohnBusiness Consultant (Owner)Commented:
According to this (below) standard users can be granted the right. New to me and I did not know about that before.

But we do not grant anyone the right to join a domain.

https://blogs.technet.microsoft.com/dubaisec/2016/02/01/who-can-add-workstation-to-the-domain/
0
Shaun VermaakTechnical SpecialistCommented:
It is default
0
JohnBusiness Consultant (Owner)Commented:
It was removed in our setups here.
0
Shaun VermaakTechnical SpecialistCommented:
So? OP is not running your setup. It is the default behaviour
0
JohnBusiness Consultant (Owner)Commented:
Whenever we add a computer, we MUST use Domain Admin credentials to add it.
0
Shaun VermaakTechnical SpecialistCommented:
Whenever we add a computer, we MUST use Domain Admin credentials to add it.

That is just silly because you are exposing you DA account on a tier 2 device. You should never login to a workstation with DA
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html

You are leaving you DA hashes all over your environment. Easy to get and crack hashes similar to this
https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html

Delegate on join to technicians like this
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
0
JohnBusiness Consultant (Owner)Commented:
What is silly about adding a workstation to a domain?   That is necessary, not silly, and we do not let users do this.
0
Shaun VermaakTechnical SpecialistCommented:
Read my comment properly. You are using your DA account to join a domain. You are using your DA credentials on the workstation
0
zito2000Author Commented:
All of these options would work and are very helpful.
Thank you!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.