Preventing Users from Joining the Domain

Friday, October 28, 2011

By default, when a Windows domain is created, authenticated users are granted the ability to join up to ten computers to the domain. While this may be very convenient from the end user's perspective, it is obviously a security risk for most organizations.

There are basically two methods to address this scenario. I generally implement both methods to ensure that reverting the changes of one method, does not allow users to continue this practice.

Method 1

The "ten" computer limitation is governed by the ms-DS-MachineAccountQuota attribute in the directory, so you can adjust this limit down to zero by following these steps:

  1. Open ADSI Edit from the Administrative Tools folder.
  2. Right-click ADSI Edit and choose Connect To.
  3. In the Connection Point section, choose Select A Well Known Naming Context and, from the dropdown list and choose Default Naming Context.
  4. Click OK.
  5. Expand Default Naming Context.
  6. Right-click the dc=[domain],dc=[com] domain folder, and choose Properties.
  7. Select ms-DS-MachineAccountQuota and click Edit.
  8. Type 0.
  9. Click OK.


Method 2

You also have the ability to provide rights to users and/groups to add workstations to the domain. By default, the "Default Domain Controllers" group policy object (GPO) provides this right. Using the Group Policy editor, open the "Default Domain Controllers" GPO and navigate to the User Rights Assignment object, and locate the "Add workstations to domain" right. Edit this settings and remove all of the members listed. Make sure that you do not unselect the option to define the setting.

Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignments

join domain

Normally, only implementing one method is required. For either method, you must ensure that you allow time for replication to occur and for the GPO to refresh (if you choose Method #2) on all of your domain controllers.

Did you find the page informational and useful? Share it using one of your favorite social sites.

Recommended Books & Training Resources

Windows Server 2008 R2 Unleashed MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647