none
add workstation to domain permission

    Question

  • Hello

    I have win 2012 R2 server with AD DS, in default domain policy, computer configuration/local polocies/user rights assignment I choose only domain admins, but I can add computers to domain with any user I create without member of any admins group, also I didn't Delegate control to any users or groups

    Wednesday, August 10, 2016 11:10 AM

Answers

  • The ability to add 10 computers to the domain by any user, even non-Domain Admins, is the Windows AD DS default behavior.  See thread below for ideas on how to block that.

    https://social.technet.microsoft.com/Forums/en-US/128048ab-12db-4beb-a6be-45ca8c65fe83/prevent-users-from-add-workstations-to-the-domain-settings-in-user-rights-on-domain-controller?forum=winserverDS


    Best Regards, Todd Heron | Active Directory Consultant


    Wednesday, August 10, 2016 11:45 AM
  • Hi,
    As Todd said, Users with this privilege can create up to 10 (by default) computer accounts in the default computers container.
    The limit of accounts every user can create is defined in the domain object, under the property ms-DS-MachineAccountQuota
    In order to prevent users from joining computers to the domain, you could have try to perform these actions:
    1. Remove permissions to create computer accounts on the default computers container.
    2. Prevent users from using the "Add workstations to domain" privilege. This can be done either by modifying the ms-DS-MachineAccountQuota property on the domain to zero, or removing "Authenticated users" from the URA on the DCs (use Group Policy to make sure it'll apply to future DCs as well).
    Please see more details from:
    Preventing Users from Adding Computers to a Domain
    http://blog.backslasher.net/preventing-users-from-adding-computers-to-a-domain.html
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 11, 2016 8:18 AM
    Moderator

All replies

  • The ability to add 10 computers to the domain by any user, even non-Domain Admins, is the Windows AD DS default behavior.  See thread below for ideas on how to block that.

    https://social.technet.microsoft.com/Forums/en-US/128048ab-12db-4beb-a6be-45ca8c65fe83/prevent-users-from-add-workstations-to-the-domain-settings-in-user-rights-on-domain-controller?forum=winserverDS


    Best Regards, Todd Heron | Active Directory Consultant


    Wednesday, August 10, 2016 11:45 AM
  • Hi,
    As Todd said, Users with this privilege can create up to 10 (by default) computer accounts in the default computers container.
    The limit of accounts every user can create is defined in the domain object, under the property ms-DS-MachineAccountQuota
    In order to prevent users from joining computers to the domain, you could have try to perform these actions:
    1. Remove permissions to create computer accounts on the default computers container.
    2. Prevent users from using the "Add workstations to domain" privilege. This can be done either by modifying the ms-DS-MachineAccountQuota property on the domain to zero, or removing "Authenticated users" from the URA on the DCs (use Group Policy to make sure it'll apply to future DCs as well).
    Please see more details from:
    Preventing Users from Adding Computers to a Domain
    http://blog.backslasher.net/preventing-users-from-adding-computers-to-a-domain.html
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 11, 2016 8:18 AM
    Moderator