Prevent Authenticated user adding to domain
-
Monday, December 03, 2012 11:16 AM
Hi,
I have been trying to remove normal user's permission of joining to the domain. By default any authenticated users can join to domain for 10 times. I have removed authenticated users from group policy and added Domain Admins and a security group. I have even set the attribute ms-DS-MachineAccountQuota to 0. But users are still able to join to the domain. I have 2 domain controllers and both are in same location. Function level is windows 2008 R2. Please help.
Regards,
Emthias Abdulsalam
With Regards, Emthias Abdulsalam
All Replies
-
Tuesday, December 04, 2012 6:54 AMModerator
Hi,
Where did you configure the Group Policy? Please understand that the “Add workstations to domain” security setting is only on domain controllers. In order to prevent domain users from adding computers to the domain, please locate Default Domain Controllers GPO and then navigate to the following path Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment to enable Add workstations to domain setting.
For details about how to prevent domain users from adding computers to the domain, please refer to the following article and similar thread. Hope this helps.
Prevent domain users from join/disjoin a domain
Normal Domain Users Can Join default 10 machines to a domain
http://awinish.wordpress.com/2011/02/06/prevent-domain-user-to-join-machine-to-domain/
Prevent Authenticated Users from adding Computers to the domain.
http://mctexpert.blogspot.com/2011/01/prevent-authenticated-users-from-adding.html
Best Regards,
Andy Qi
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Andy Qi
TechNet Community Support
- Proposed As Answer by i.biswajith Tuesday, December 04, 2012 8:12 AM
- Unproposed As Answer by Emthias Abdulsalam Monday, December 10, 2012 8:31 AM
- Marked As Answer by Andy QiMicrosoft Contingent Staff, Moderator Wednesday, December 12, 2012 2:54 AM
- Unmarked As Answer by Emthias Abdulsalam Wednesday, December 12, 2012 4:31 AM
-
Thursday, December 06, 2012 3:21 AMModerator
Hi,
Any update about the issue?
Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
Best Regards,
Andy Qi
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Andy Qi
TechNet Community Support -
Monday, December 10, 2012 8:31 AM
Hi Andi,
“Add workstations to domain” security setting was configured in both Default Domain Controller policy and Default Domain policy. I have removed this settings from Default Domain policy. But unfortunately normal users are still able to join to domain.
With Regards, Emthias Abdulsalam
-
Monday, December 10, 2012 8:41 AM
See this
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
- Marked As Answer by Andy QiMicrosoft Contingent Staff, Moderator Wednesday, December 12, 2012 2:54 AM
- Unmarked As Answer by Emthias Abdulsalam Wednesday, December 12, 2012 4:30 AM
-
Wednesday, December 12, 2012 4:35 AM
Hi,
ms-DS-MachineAccountQuota attribute is set to 0 and restricted in domain policy as well. I have applied these restrictions before writing to this forum. It is not working in my case.
With Regards, Emthias Abdulsalam
-
Monday, January 14, 2013 8:14 AMpls run dcdiag /v /e & upload in skydrive.
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
.png)
