AD – Domain Users can join computers to Domain.
DataCenter, Desktops, Management, Microsoft Windows, OS, Patch management, Security, Servers, SQL Server
Hi there,
I've just discovered that anyone who is just a member of Domain Users can join a computer to our Domain. It's freaked me out and I can't see why. How to I find the "Join to a Domain" security permissison and see what groups have rights to do this?
rgds
Mac
Software/Hardware used:
Software/Hardware used:
ASKED:
November 22, 2006 1:53 AM
UPDATED:
November 27, 2006 3:32 PM
Answer Wiki:
Windows 2003 based AD allows this behavior by default, with a 10 computer limit. You can limit this in group policy security settings, local settings, user rights assignment.
To see all answers submitted to the Answer Wiki: View Answer History.
In “Domain Security Polcies”, under “User Rights” you will see “Add
workstations to domain”.
Define this right for administrators only.
By default, all users can add ten PCs to the domain. After that they will be denied access.
You can change that in the Default Domain policy and specify which groups can add PCs, say domain admins and IT staff. But be very careful. It’s located under:
Computer Configuration | Windows settings | Security Settings | User Rights Assignment | Add Workstations to the Domain
You can also change the location of where computer accounts get created when they are added to the domain so that they don’t sit in the Computers container. You could have them automatically get created in an OU which has policies applied to it–so that the PCs get whatever firewall or software policies they need.
Regards,
Greg
Something to worry about if rogue user servers are potential problem. Most people aren’t going to do that as it is expensive.
But think about what an unauthorized workstation means – given that they still need a valid user logon to start with. OK they could bring a home machine into work and add it to the domain…and receive any GPO restrictions too. Problems? Hopefully your network has multiple layers of protection against malware (wroms/virii, etc), monitoring and intrusion devices anyway. The biggest threat is that they download data onto the home computer and take it home. You need a clear written well publized policy that any hardware or writeable media that comes to work is automatically donated to the company. It cannot leave except if the user is fired and all media undergoes Gutman overwrites of all data before release (loss of OS and personal data not reimbursed).
But other than that is this your biggest security issue? Bravo if so.
Thanks everyone,
Quite surprised that any valid login can add a computer to the domain. Could have sworn that was restricted to Admins only.
The issue arose when someone with VPN access form home, added their home PC to the Domain. Not having that!
We are also rolling out a new ISA and VPN solution whereby we will be quarantining PCs that do not meet patchesAV requirements. But even still I don’t think it’s something users should be able to do without checking with Admins first.
rgds
Mac