Quite surprised that any valid login can add a computer to the domain. Could have sworn that was restricted to Admins only.
The issue arose when someone with VPN access form home, added their home PC to the Domain. Not having that!
We are also rolling out a new ISA and VPN solution whereby we will be quarantining PCs that do not meet patchesAV requirements. But even still I don’t think it’s something users should be able to do without checking with Admins first.

rgds

Mac

But think about what an unauthorized workstation means – given that they still need a valid user logon to start with. OK they could bring a home machine into work and add it to the domain…and receive any GPO restrictions too. Problems? Hopefully your network has multiple layers of protection against malware (wroms/virii, etc), monitoring and intrusion devices anyway. The biggest threat is that they download data onto the home computer and take it home. You need a clear written well publized policy that any hardware or writeable media that comes to work is automatically donated to the company. It cannot leave except if the user is fired and all media undergoes Gutman overwrites of all data before release (loss of OS and personal data not reimbursed).

But other than that is this your biggest security issue? Bravo if so.

You can change that in the Default Domain policy and specify which groups can add PCs, say domain admins and IT staff. But be very careful. It’s located under:
Computer Configuration | Windows settings | Security Settings | User Rights Assignment | Add Workstations to the Domain

You can also change the location of where computer accounts get created when they are added to the domain so that they don’t sit in the Computers container. You could have them automatically get created in an OU which has policies applied to it–so that the PCs get whatever firewall or software policies they need.

Regards,

Greg