AD – Domain Users can join computers to Domain.

Microsoft Windows
Patch management
SQL Server
Hi there, I've just discovered that anyone who is just a member of Domain Users can join a computer to our Domain. It's freaked me out and I can't see why. How to I find the "Join to a Domain" security permissison and see what groups have rights to do this? rgds Mac

Answer Wiki

Thanks. We'll let you know when a new response is added.

Windows 2003 based AD allows this behavior by default, with a 10 computer limit. You can limit this in group policy security settings, local settings, user rights assignment.

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Tommski
    In "Domain Security Polcies", under "User Rights" you will see "Add workstations to domain". Define this right for administrators only.
    0 pointsBadges:
  • Gphalpin
    By default, all users can add ten PCs to the domain. After that they will be denied access. You can change that in the Default Domain policy and specify which groups can add PCs, say domain admins and IT staff. But be very careful. It's located under: Computer Configuration | Windows settings | Security Settings | User Rights Assignment | Add Workstations to the Domain You can also change the location of where computer accounts get created when they are added to the domain so that they don't sit in the Computers container. You could have them automatically get created in an OU which has policies applied to it--so that the PCs get whatever firewall or software policies they need. Regards, Greg
    0 pointsBadges:
  • Mortree
    Something to worry about if rogue user servers are potential problem. Most people aren't going to do that as it is expensive. But think about what an unauthorized workstation means - given that they still need a valid user logon to start with. OK they could bring a home machine into work and add it to the domain...and receive any GPO restrictions too. Problems? Hopefully your network has multiple layers of protection against malware (wroms/virii, etc), monitoring and intrusion devices anyway. The biggest threat is that they download data onto the home computer and take it home. You need a clear written well publized policy that any hardware or writeable media that comes to work is automatically donated to the company. It cannot leave except if the user is fired and all media undergoes Gutman overwrites of all data before release (loss of OS and personal data not reimbursed). But other than that is this your biggest security issue? Bravo if so.
    0 pointsBadges:
  • Maclanachu
    Thanks everyone, Quite surprised that any valid login can add a computer to the domain. Could have sworn that was restricted to Admins only. The issue arose when someone with VPN access form home, added their home PC to the Domain. Not having that! We are also rolling out a new ISA and VPN solution whereby we will be quarantining PCs that do not meet patchesAV requirements. But even still I don't think it's something users should be able to do without checking with Admins first. rgds Mac
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: