none
Selective computer add-to-domain

    Question

  • Hi

    I've already configured the Add workstations to domain on default domain policy so only tier-2 IT members can add computers to a domain.

    Now, as sometimes they forget to properly move computers from container COMPUTERS to proper OU, I want to prevent them to use the Computer container.

    From ADUC I've modified security settings on COMPUTER container and removing create/delete computer objects to their security group (so only domain admins and default groups such as backup operators have default security rights) and instructed them to join computers using Add-Computer -Domainname "domain" -OUPath distinguishedName

    I tested from ADUC drag and drop computers from and to COMPUTERS container and everything seems fine, but then I attempted to join a computer using usual button from Computer Name popup and still managed to join computer to COMPUTERS container. (used an account that is in Tier-2 security group).

    Any suggestion on how could I prevent this?

    Main reasons for this are:

    Can't apply GPOs to COMPUTERS so I can't prevent someone to log in locally if it's missconfigured.

    GPP for printers, network shares and so on aren't applied either so users tend to call for support asking for them.

    Thanks in advance

    Tuesday, November 22, 2016 2:56 PM

Answers

  • 1. Yes that looks like an accurate procedure just skimming it quickly. If normal users don't have the rights delegated (by default they do in new domains), they won't be able to join any machines regardless of the quota. Chances are you'll need to bump that quota up, though.

    2. This would be done by editing any GPOs that apply to your DCs to grant that right.

    3. That's it.

    4. Look at this tool - https://adaclscan.codeplex.com/


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Ishmar Tuesday, November 22, 2016 10:39 PM
    Tuesday, November 22, 2016 10:21 PM

All replies

  • Ishmar-

    If you delegate the join rights (create computer, etc.) on the OUs you want to allow domain join to and then remove the legacy Add Workstations to Domain right, you'll get the result you want.

    You could also redirect the default computers container to a new OU and then you'd be able to apply a GPO to it.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Tuesday, November 22, 2016 4:37 PM
  • Hi Brian

    First of all, thanks for your quick answer. Could you please elaborate some more?

    1. For delegate join rights guess you mean using answer given in this post Also, how do I prevent normal users to join up to 10 computers?
    2. Removing the legacy Add Workstations to Domain Right. I've searched a bit about this. Do you mean removing them from security tab? I've already done so on Computers container. Guess you mean removing it from the domain root so they aren't allowed to create computers object in any OU if not delegated. Should I remove them from the Default Domain Policy too?
    3. Didn't knew I could redirect users or computers containers! Guess this is the tutorial to follow. 
    4. Last but not least. If I do some delegations, is there any easy way to review all delegations? Let's say, in 2020 when I find this post and want to check my domain safety, could I enumerate what is delegated to whom?

    Big big thanks!

    Tuesday, November 22, 2016 10:18 PM
  • 1. Yes that looks like an accurate procedure just skimming it quickly. If normal users don't have the rights delegated (by default they do in new domains), they won't be able to join any machines regardless of the quota. Chances are you'll need to bump that quota up, though.

    2. This would be done by editing any GPOs that apply to your DCs to grant that right.

    3. That's it.

    4. Look at this tool - https://adaclscan.codeplex.com/


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Ishmar Tuesday, November 22, 2016 10:39 PM
    Tuesday, November 22, 2016 10:21 PM
  • Thanks Brian for your help. Will give a try and come back if I have any problem.

    Regards

    Tuesday, November 22, 2016 10:40 PM