Post subject: Adding computer to Domain Posted: Wed Jun 29, 2005 2:05 am
Help others: Review your books and training products here
I am preparing for 290 exam and I got the Q. In the MS Press I read the any domain user can add up to 10 computers to the domain. And it is true, I tried to add PC with oridinary account from Domain/Users and it worked.
The question is how to disable that? I also know that it could be done cause at my work this trick does not work.
Thanks _________________ Don't Drink And Drive
Kill, can not be innocent
Kill can not be, innocent
Help others: Review your books and training products here
I searched for this option in my gpedit snap-in but didn`t find any policy configuration that can disable this particular option....but there is a policy that can disable opening "My computer properties" as a whole. _________________ MCSA 2003:Messaging, CCNA, BSCI, BCRAN
Last edited by elbrens on Wed Jun 29, 2005 3:51 am; edited 1 time in total
Joined: 28 Jun 2005 Posts: 40 Location: Dallas, TX
Post subject: Posted: Wed Jun 29, 2005 10:25 am
Help others: Review your books and training products here
If you remove the Authenticated Users from the Default Domain Controllers GPO Setting Add Workstations to the Domain under the following path.
Computer configuration/Windows Settings/Local Policies/User Rights Assignment
The setting is like the 3rd or 4th from the top if I remember right. Remove Authenticated Users and leave only your users you want to have that right (preferably admins...duh ;P). Hope that helps. _________________ Jordan, MCSE:Security, MCSA:Security, Security + (Working on CCNA)
"Red Team Go!...Red Team Go!..."
Joined: 10 Apr 2005 Posts: 1296 Location: Wales, UK
Post subject: Posted: Wed Jun 29, 2005 4:11 pm
Help others: Review your books and training products here
Yes, by default, all Domain Users are able to add up to 10 machines to a domain.
You can disable this by the method described, but also be aware of questions that actually require you to give this right to a particular user.
It's through a User Rights Assignment, and not a general "Administrator" level access is how you setup that user with the desirable property. _________________ David Jones BSc (Hons)
MS Certs: MCSA: Messaging 2003, MCSE: 2003, MCTS: Vista, MCTS: Exchange 2007
Cisco Certs: CCNP
Studying: CCIE: R&S Written, Feb 28, 2011
Joined: 28 Jun 2005 Posts: 40 Location: Dallas, TX
Post subject: Posted: Wed Jun 29, 2005 4:20 pm
Help others: Review your books and training products here
good point gorebrush, thanks for the touch up.... _________________ Jordan, MCSE:Security, MCSA:Security, Security + (Working on CCNA)
"Red Team Go!...Red Team Go!..."
Help others: Review your books and training products here
ok, guys. Maybe I am doing something wrong here but bere with me. Currently under given path in GPO for my domain "Add workstation to domain" police is not defined. So when I open it up none of the users or groups are there to be deleted or denied this permission. (from what I can see you can only add groups in there)
Does it mean that if I add spesific users or groups who I want to be able to do this task then everybody else will be denied? _________________ Don't Drink And Drive
Kill, can not be innocent
Kill can not be, innocent
Help others: Review your books and training products here
on this note I guess I shoul mention that I am also tring to find out the way to disable users from removing client's machines from domain. The only way I could do it so far is to modify permission on the registry key on the client machine.
I could not find any group policy to disable that, any thoughts? _________________ Don't Drink And Drive
Kill, can not be innocent
Kill can not be, innocent
Joined: 10 Apr 2005 Posts: 1296 Location: Wales, UK
Post subject: Posted: Wed Jun 29, 2005 5:27 pm
Help others: Review your books and training products here
ilatak wrote:
ok, guys. Maybe I am doing something wrong here but bere with me. Currently under given path in GPO for my domain "Add workstation to domain" police is not defined. So when I open it up none of the users or groups are there to be deleted or denied this permission. (from what I can see you can only add groups in there)
Does it mean that if I add spesific users or groups who I want to be able to do this task then everybody else will be denied?
This is the Domain GPO yes?
When it is not defined, it is not applied in any way at that level. The thing you have to remember about GPO's is that they apply at FOUR levels.
1. Local
2. Site
3. Domain
4. OU
So any settings that are in the Local policy that are Defined will be overridden by any other defined property higher up the chain. If a property is defined at the local level, and not anywhere else up the chain, that property is set by the local level.
I think if you add users to the "Add workstations to domain" policy, you are letting them have the ability to add them. I.e. if you add the user "Bob" who is normally a domain user, Bob then has the power to add clients to the domain.
As for removing them...
I would hope that domain users themselves wouldn't have that power, even if they were "local administrators" on the client they are attempting to remove from the domain.
IIRC, a domain user, who is a local administrator, but is only a domain user, if he / she tries to remove a client, will be asked for necessary credentials when they attempt to change the properties on the Computer Name tab of System Properties (i.e. selecting a Workgroup as opposed to the configured domain) _________________ David Jones BSc (Hons)
MS Certs: MCSA: Messaging 2003, MCSE: 2003, MCTS: Vista, MCTS: Exchange 2007
Cisco Certs: CCNP
Studying: CCIE: R&S Written, Feb 28, 2011
Help others: Review your books and training products here
Hi gorebrush,
Yes I was looking at the domain GPO. I am tring to do this at my home lab of course:) I have 1 server and 1 XP client (both just installed with nothing but OS on them) so here is what I find out:
1. Local (on XP client) "Add workstation to domain" is not defined
2. Site - there is none, I didn't set up any sites
3. Domain - not defined also
4. OU - the user account that I used to add pc to domain is in default User container so no GPOs there
So technically, if I am not mistaken, I have no policys set up to specifically allow or deny adding workstation to the domain. So I guess it works by default 1 user = 10 worstation but again how do you disable that?
Removing PC from domain:
My life would be so much easier if what you said gorebrush was actually true:) The thing is if you are local admin or power user you can easilly take pc out of domain. You do it regulary but when it promts you for user name and PW you just click OK without entering anything and you are done.
PS: I am still kinda confused about group policies _________________ Don't Drink And Drive
Kill, can not be innocent
Kill can not be, innocent
Joined: 10 May 2004 Posts: 3556 Location: Hillsboro, OR
Post subject: Posted: Thu Jun 30, 2005 2:57 am
Help others: Review your books and training products here
Quote:
My life would be so much easier if what you said gorebrush was actually true:) The thing is if you are local admin or power user you can easilly take pc out of domain. You do it regulary but when it promts you for user name and PW you just click OK without entering anything and you are done.
This isn't necessarily true. A user on an XP or Win2K box can only logon locally if they have a local account. So, when you make them a local administrator, you make their domain account the local admin account. That way, if they try to login without logging into the domain, they are not able to do so. On 9x machines you can bypass the domain, which is why larger organizations use an NT style workstation. If you are using 9x, you might as well throw security out the window. _________________ kidvelvet www.kidvelvet.net
Yes, your problem is the most important. Just like everybody else's.
Help others: Review your books and training products here
This is how we got it set up kidvelvet.
Let me explain it again. User's domain account is member of local admin group. So they can not log on using local account. The problem comes when they take the computer out of domain (for various reasons, mostly to set up home network, most of them are laptops) they can't log in cause the domain account doesn't work any more. That's when they come to me asking to add then back on to domain. That's why I was working on fix to disable ability to remove computer from domain. _________________ Don't Drink And Drive
Kill, can not be innocent
Kill can not be, innocent
Help others: Review your books and training products here
ok, finally tested and confirmed.
By default in MS Server 2003 any domain user can add up to 10 computers to domain. If this behavior is not desired you need to modify the following GPO:
Thanks to techno-jordan:
Computer configuration/Windows Settings/Local Policies/User Rights Assignment
By default this policy is not configured.
You have to add groups of users to this policy who you want to be able to add computers to domain. If you configure this policy only specified users will be able to add pc to domain and everybody else will receive access denied error. _________________ Don't Drink And Drive
Kill, can not be innocent
Kill can not be, innocent
Joined: 10 Apr 2005 Posts: 24 Location: Gloucester, UK
Post subject: ADDING COMPUTER TO A DOMAIN Posted: Mon Jul 11, 2005 9:16 am
Help others: Review your books and training products here
I wrestled with this for a while, until I realised that yes a normal user can add up to 10 computer accounts to the Computers OU in the domain. BUT that user must have local admin rights on the machine to be able to use the Computer Name Tab in System Properties to alter domain membership.
Didn't know about that GPO setting though....very interesting!!
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Sponsor
Sponsor
Training Picks
CareerAcademy Expert-led On-Demand Certification training courses with 7x24 LIVE Mentoring. Topics cover MCSE 2008 Training, A+ Certification, IT Security CEH Training, Cisco Training and many more.Training Videos We offer streaming or CD certification training videos for Microsoft, CompTIA, Cisco, Citrix, Oracle, CISSP, CET, CWNA, LPI, SCJP, CIW, MOS, PMP and other certifications. View our free videos!EDULEARN Certification Training on CD-ROMs & Videos: Microsoft MCSE Training, A+ Certification, Windows 2003, & Free demos. MCSE certification training includes videos and labs.Online Computer Trainingby K Alliance. Certification training videos for MCTS, MCITP, Oracle OCA/OCP, A+, CCNA, RHCE and more. Our e-learning courses come with 24/7 online mentoring.More Training
