locked
Prevent join a computer to domain if it does not have a computer account in active directory RRS feed

  • Question

  • Hi all,

    We are trying to force naming conventions for joining new machines to domain and we are thinking of the below:

    1. Create new computer account manually in AD per naming convention and ask IT support to rename new computer with that name then join to domain.

    2. Block by policy joining machines to domain if they do not have computer accounts in AD.

    How can we achieve point 2 above?

    Monday, January 25, 2016 7:26 AM

Answers

  • Hi Ahmad,

    A1. This can be done using Pre-Staging the computer account.

    A2.  As per this post Forcing Pre-Staging Computers is not doable.

    There is no way to block the admins, either they can join machines or they can not. The only option is that you trust\train them.

    However you can try this:

    Take everyone’s rights away to create accounts and only assign permission to join domain. This way the Pre-Staged Computer Names has to be used.

    Minimum Permissions Required Join Domain

    You can also narrow down the permission to Create Computer on only a particular OU, this way Admins will not be able to create in Root\Computer OU. Using the GUI.

    If they use the correct name, then due to pre-staged computer in correct OU, they will be able to join the computer.

    References:

    To prestage a client computer to join a domain:

    https://technet.microsoft.com/en-us/library/cc754289(v=ws.10).aspx#BKMK_1


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Proposed as answer by Mary Dong Tuesday, February 2, 2016 7:31 AM
    • Marked as answer by Mary Dong Thursday, February 4, 2016 9:22 AM
    Monday, January 25, 2016 8:20 AM

All replies

  • Hi Ahmad,

    A1. This can be done using Pre-Staging the computer account.

    A2.  As per this post Forcing Pre-Staging Computers is not doable.

    There is no way to block the admins, either they can join machines or they can not. The only option is that you trust\train them.

    However you can try this:

    Take everyone’s rights away to create accounts and only assign permission to join domain. This way the Pre-Staged Computer Names has to be used.

    Minimum Permissions Required Join Domain

    You can also narrow down the permission to Create Computer on only a particular OU, this way Admins will not be able to create in Root\Computer OU. Using the GUI.

    If they use the correct name, then due to pre-staged computer in correct OU, they will be able to join the computer.

    References:

    To prestage a client computer to join a domain:

    https://technet.microsoft.com/en-us/library/cc754289(v=ws.10).aspx#BKMK_1


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Proposed as answer by Mary Dong Tuesday, February 2, 2016 7:31 AM
    • Marked as answer by Mary Dong Thursday, February 4, 2016 9:22 AM
    Monday, January 25, 2016 8:20 AM
  • I am thinking about the following:

    • Have the computer accounts created by a team which is capable to respect the naming convention
    • Make this team delegate the domain join to the respective persons (They need to update Managed By field)
    • Revoke the creation and update of computer accounts for users who should not be able to do it and do not forget to apply this too: https://support.microsoft.com/en-us/kb/243327

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Monday, January 25, 2016 9:20 AM
  • Hi,

    Forcing pre-staging is not possible on active directory environment. Please see the below link for more details.

    https://social.technet.microsoft.com/Forums/office/en-US/b53a5aed-df00-4ddb-9698-00f9bab13b4d/forcing-prestaging-computers?forum=winserverDS

    But we can protect all users to create computer account on "Computers" container of a domain except one privileged group, so that no authenticated users can create a computer account on Computers container. Add some users to the privileged groups. 

    Follow the below steps. 

      

    1.Right click on the "Computers" OU and goto security tab. 
    2.Click on Advanced
    3.Click Add and type the group name as "Domain Users"
    4.On Apply to section select "Desendent Computer Objects" 
    5.Seclect "Deny" fullcontrol
    6.Click OK

    Create a special group who will be joining the prestaged computers to the domain. Remove "Domain Users" group from the membership of all the users who are member of this special group. Note: Make any other group as primary group for those users.

    Now do the following

    1. Right click on the "Computers" OU
    2. Click on delegate control
    3. Click Next
    4. To add the special group who will be joining the prestaged computers to the domain click Add. Once you are done click Next.
    5. Tasks to Delegate – Click Create a custom task to delegate. Click Next.
    6. Choose Only the following objects in the folder and check the box Computer Objects. Check the box Create selected objects in this folder. Click Next.
    7. Permissions – Select General, select Create All Child Objects. Click Next.
    8. Click Finish

    I have not tried this in my environment but you can try in your engineering environment (Not in your production environment). If everything works fine then you can implement the same on your prod environment.

    Please let me know the result.

    Thanks,

    Arindam

    Monday, January 25, 2016 4:17 PM