By default, when a Windows domain is created, authenticated users are granted the ability to join up to ten computers to the domain. While this may be very convenient from the end user’s perspective, it is obviously a security risk for most organizations.
There are basically two methods to address this scenario. I generally implement both methods to ensure that reverting the changes of one method, does not allow users to continue this practice.
Method #1
The “ten” computer limitation is governed by the ms-DS-MachineAccountQuota attribute in the directory, so you
can adjust this limit down to zero by following these steps:
- Open ADSI Edit from the Administrative Tools folder.
- Right-click ADSI Edit and choose Connect To.
- In the Connection Point section, choose Select A Well Known Naming Context and, from the dropdown list and choose Default Naming Context.
- Click OK.
- Expand Default Naming Context.
- Right-click the dc=[domain],dc=[com] domain folder, and choose Properties.
- Select
ms-DS-MachineAccountQuotaand click Edit. - Type 0.
- Click OK.
Method #2
You also have the ability to provide rights to users and/groups to add workstations to the domain. By default, the “Default Domain Controllers” group policy object (GPO) provides this right. Using the Group Policy editor, open the Default Domain Controllers GPO and navigate to the User Rights Assignment object, and locate the Add workstations to domain right.
Edit these settings and remove all of the members listed. Make sure that you do not unselect the option to define the setting.
Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Local Policies –> User Rights Assignments
Normally, only implementing one method is required. For either method, you must ensure that you allow time for replication to occur and for the GPO to refresh (if you choose Method #2) on all of your domain controllers.
