Disable adding workstations to the domain by users
All, What's the secret behind disabling the huge security hole that MS left open in windows domains? I am talking about domain users adding workstations to the active directory domains. I don't even want the users to be able to add workstations to domain once let alone 10 times. I googled and found numerous suggestions. I followed one of them. 1) Created a GPO and a security group "xyz". 2) In the GPO, removed everything in the "add workstation to domain" setting and added the security group "xyz". Then the GPO was linked to the "Default Domain Controllers" OU. I have one user, who is NOT in the "xyz" security group, can add workstations to the domain. I checked his group membership, permissions, etc. He is just a domain user. How in the world is he able to add workstations to domain? Also, the each workstation's local admin account can remove the workstation from the domain. When prompted to enter a user/password authorized to remove a workstation from the domain, any random characters for the userid and password works fine (userid: dufkflkvsldvl / password: ytdsmnbvmndvsaojdso). First of all, what's the logic behind letting the domain users add workstations to domain (RIS?)? It simply doesn't make sense. MS should eliminate this feature by default like IIS5.0 install and force the admin to enable it if he/she wants to open this security hole. Thank you
July 28th, 2009 6:05pm

By default, only administrators can add a machine to a domain. You can allow users by giving them"Add workstation to domain" permission. Someone my have done this.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2009 7:13pm

Sick, Read this KB article: http://support.microsoft.com/default.aspx/kb/251335 And this: http://support.microsoft.com/kb/243327/en-us
July 28th, 2009 8:49pm

Correct - that's for a Windows 2000 domain. I don't think that this is a problem anymore (unless you're still 2000.)
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2009 9:20pm

My forest functional level is windows 2003 My domain functional level is windows 2003 Until I enabled the GPO I mentioned in my original posting on the Default Domain Controllers OU, users were removing and adding workstations without the IT department's permission. I think I found the issue with this user who can adds/remove workstations in the domain. His user account had "create computer objects" permission on the OU in question. What I am puzzled about is that I haven't redirected new computer objects to other OUs so they all go to the default "computer" container. This user doesn't have permission to "create objects" at the domain level. @sick I will setup a brand new windows 2003 domain to test your claim that, by default, MS disables domain users from adding/removing workstations in the domain. My domains are upgraded from windows 2000.
July 28th, 2009 10:18pm

I was thinking a little about this and did a little research. Another piece of the story may be the service pack of XP. I looked at http://technet.microsoft.com/en-us/library/bb457115.aspx(table 17-6)and found that by default, a clean install of XP SP2 doesn't set any groups to the "Add workstation to the domain" right.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2009 11:52pm

Hello,by default 'Authenticated users' are able to add workstations to the domain. This is set in the Default Domain Dontrollers policy since windows 2000 OS and also in 2003 and 2008 not changed.So what you see is complete correct, if you don't want it, remove the Authenticated users there and add the domain admins group or the accounts you like to have there.It does not depend on client OS or service pack level.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
July 29th, 2009 3:40am

Meinolf - That's interesting, because I've set up several domains over the last several years (NT4, 2000, 2003 & 2008) and while I remember Authenticated users being able to join domains in the early days, since 2003 with the XPSP2 (& later) client, I have always needed Admin privileges to join. Now I have to go and look as to 'why'....
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2009 6:27pm

Hi, Yes. By default, authenticated user can add 10 computers accounts in the domain. It is also true in Windows 2003 and Windows 2008 domain. For more information, please refer to the following articles: Add workstations to domain http://technet.microsoft.com/en-us/library/cc780195(WS.10).aspx Windows Server 2008 Administrator's Pocket Consultant (Page 223: Information regarding adding computers to domain incorrect) http://support.microsoft.com/kb/957688 Thanks.
July 30th, 2009 12:14pm

I wish I could have replied to this sooner. First off, you shouldn't modify the default policies, in case anyone is doing that. They should be left intact in case you need to revert to a known state. (I see that you said a GPO was created, but later in the thread it looked like some people may assume that the Default Domain Controllers Policy was being modified.)Second, why would you be linking the new GPO to "Default Domain Controllers"? You don't care about the DC's, you care about the clients, and those are the systems that you want to affect, right? The GPO should be applied to the default "Computers" container, to any container where machine accounts will be moved, and/or to the root of AD (which is easiest).Applying the GPO to the DC's doesn't gain you anything because it's not going to affect the clients. If I wanted to prevent users from adding/removing machine accounts, I would create a GPO and apply it to the root of the domain or forest. Actually, I would include the right mentioned next, too.The reason that an anonymous user can add up to 10 machine accounts (by default) is because of the "ms-DS-MachineAccountQuota" right. The mechanism goes basically something like this: a user logs on, and if they are not in a privileged group, the "ms-DS-MachineAccountQuota" right is checked, and if greater than zero, and the user has added less than this number, then the machine account can be added. For each computer the user joins to the domain, the corresponding computer object has the ms-ds-CreatorSID attribute set to the value of the objectSID attribute of the user. The sum of the computer objects with the user's SID assigned to ms-ds-CreatorSID is the total for the user. I wrote a simple VBscript to see how many computers a particular person has added.Reference:Default Limit to Number of Workstations a User Can Join to the Domainhttp://support.microsoft.com/kb/243327Also:Domain Users Cannot Join Workstation or Server to a Domainhttp://support.microsoft.com/default.aspx/kb/251335Hope that helps!Rob IngenthronIT Tech LeadJuniper Networks
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2009 8:24pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics