Computers & ProgrammingComputers & NetworkingWindows Server

Preventing Users from Joining the Domain

By default, when a Windows domain is created, authenticated users are granted the ability to join up to ten computers to the domain. While this may be very convenient from the end user’s perspective, it is obviously a security risk for most organizations.

There are basically two methods to address this scenario. I generally implement both methods to ensure that reverting the changes of one method, does not allow users to continue this practice.

Method #1

The “ten” computer limitation is governed by the ms-DS-MachineAccountQuota attribute in the directory, so you
can adjust this limit down to zero by following these steps:

  1. Open ADSI Edit from the Administrative Tools folder.
  2. Right-click ADSI Edit and choose Connect To.
  3. In the Connection Point section, choose Select A Well Known Naming Context and, from the dropdown list and choose Default Naming Context.
  4. Click OK.
  5. Expand Default Naming Context.
  6. Right-click the dc=[domain],dc=[com] domain folder, and choose Properties.
  7. Select ms-DS-MachineAccountQuota and click Edit.
  8. Type 0.
  9. Click OK.
37B84291F81B45169E703F5D5Efd0B3A

Method #2

You also have the ability to provide rights to users and/groups to add workstations to the domain. By default, the “Default Domain Controllers” group policy object (GPO) provides this right. Using the Group Policy editor, open the Default Domain Controllers GPO and navigate to the User Rights Assignment object, and locate the Add workstations to domain right.

Edit these settings and remove all of the members listed. Make sure that you do not unselect the option to define the setting.

Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Local Policies –> User Rights Assignments

Cafae23602Ad4441B6812C341776477C

Normally, only implementing one method is required. For either method, you must ensure that you allow time for replication to occur and for the GPO to refresh (if you choose Method #2) on all of your domain controllers.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top