How to Prevent Authenticated Users from joining Workstations to a Domain
بسم الله الرحمن الرحيم
I asked myself what is benefit from this option “by default, Windows Server allows authenticated users to join 10 machine accounts to the domain”. But I didn’t get an answer
Administrator can control it with two ways:
- Start – Administrative Tools – ADSI Edit
- Right click Domain Name – Properties
- Attribute Editor Tab – ms-DS-MachineAccountQuota – Click Edit – set to 0 –press ok
That users in the Administrators or Domain Administrators groups, and those users who have delegated permissions on containers in Active Directory to create and delete computer accounts, are not restricted by this limitation.
2-By Group Policy:
- Click Start – All programs – Administrative Tools – Group Policy Management.
- Create or Edit Group Policy Objects.
- Expand Computer Configuration – Policies – Windows Settings – Security Settings – User Rights Assignment
- From right pane right click on Add workgroup to domain – Properties – Add User or Group or remove unwanted user or group