How to Prevent Authenticated Users from joining Workstations to a Domain
بسم الله الرحمن الرحيم
I asked myself what is benefit from this option “by default, Windows Server allows authenticated users to join 10 machine accounts to the domain”. But I didn’t get an answer
Administrator can control it with two ways:
1-By Adsiedit:
- Start – Administrative Tools – ADSI Edit
- Right click Domain Name – Properties
- Attribute Editor Tab – ms-DS-MachineAccountQuota – Click Edit – set to 0 –press ok
Note:
That users in the Administrators or Domain Administrators groups, and those users who have delegated permissions on containers in Active Directory to create and delete computer accounts, are not restricted by this limitation.
2-By Group Policy:
- Click Start – All programs – Administrative Tools – Group Policy Management.
- Create or Edit Group Policy Objects.
- Expand Computer Configuration – Policies – Windows Settings – Security Settings – User Rights Assignment
- From right pane right click on Add workgroup to domain – Properties – Add User or Group or remove unwanted user or group
Posted on November 9, 2011, in Group Policy, HOW TO ? and tagged Add workgroup to domain, Adsiedit, Authenticated Users, ms-DS-MachineAccountQuota. Bookmark the permalink. 4 Comments.
2. Do I have apply these settings on Domain Policy or Domain Controller Policy?
Thanks for comment
I applied these settings on Domain Policy.
As salaamu alaikum. Its nice to see some other people finding this problem. One other possible solution to this is redirecting the default computers container to a different OU. I think in that case, the method that allows standard users to create computer objects fails. There are some security concerns with the ability to create computer accounts, you can check out some of my work on this at my blog http://myitpath.blogspot.com/2010/05/creating-infinite-semi-anonymous.html
Thanks for comment and nice blog