Did you find this useful?
Socialize it today.


Preventing Users from Joining the Domain

Friday, October 28, 2011

By default, when a Windows domain is created, authenticated users are granted the ability to join up to ten computers to the domain. While this may be very convenient from the end user's perspective, it is obviously a security risk for most organizations.

There are basically two methods to address this scenario. I generally implement both methods to ensure that reverting the changes of one method, does not allow users to continue this practice.

Method 1

The "ten" computer limitation is governed by the ms-DS-MachineAccountQuota attribute in the directory, so you can adjust this limit down to zero by following these steps:

  1. Open ADSI Edit from the Administrative Tools folder.
  2. Right-click ADSI Edit and choose Connect To.
  3. In the Connection Point section, choose Select A Well Known Naming Context and, from the dropdown list and choose Default Naming Context.
  4. Click OK.
  5. Expand Default Naming Context.
  6. Right-click the dc=[domain],dc=[com] domain folder, and choose Properties.
  7. Select ms-DS-MachineAccountQuota and click Edit.
  8. Type 0.
  9. Click OK.


ms-DS-MachineAccountQuota

Method 2

You also have the ability to provide rights to users and/groups to add workstations to the domain. By default, the "Default Domain Controllers" group policy object (GPO) provides this right. Using the Group Policy editor, open the "Default Domain Controllers" GPO and navigate to the User Rights Assignment object, and locate the "Add workstations to domain" right. Edit this settings and remove all of the members listed. Make sure that you do not unselect the option to define the setting.

Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignments



join domain


Normally, only implementing one method is required. For either method, you must ensure that you allow time for replication to occur and for the GPO to refresh (if you choose Method #2) on all of your domain controllers.

Please help us spread the word by socializing it today!

email contact us

Did you find something wrong with the information on this page? Please take a moment to report it to us so that we can continue to improve the quality of the information on this site. Click here to report an issue with this page.



Recommended Books & Training Resources

MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647 Windows Server 2008 R2 Unleashed