Hello :

How can i restrict users to not join any computers to domain using group policy ?
thank you

Hello,

in the default domain controllers policy, check that "Authenticated users" are not added to:
Computer configuration, windows settings, security settings, local policies, User rights assignments, in the left pane "Add workstations to domain"

Here add only the allowed security groups / user accounts you need.

Hi Nasiri

Assign rights using the Default Domain Group policy:

1. Open the Default Domain Group policy.

2. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

3. Expand User Rights Assignment.

4. Double-click Add workstations to Domain.

5. Check the Define these policy settings box.

6. Press the Add User or Group button.

7. Complete the dialog to add the user or group.

8. Press Apply and OK.


Delegate rights using active directory Users and Computers:

1. Open the Active Directory Users and Computers snap-in.

2. Right-click the container under which you want the computers added, and press Delegate Control.

3. Press Next.

4. Press Add.

5. After adding all the users and/or groups, press Next.

6. Select Create custom task to delegate and press Next.

7. Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and press Next.

8. Check the Create all child object box and press Next.

9. Press Finish.

Refer URL : http://windowsitpro.com/article/articleid/81099/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain.html

Hope this Helps

Deva

• Marked as answer by Mohammad Nasiri Monday, August 17, 2009 7:46 AM

you can sort this issue under domain security policy. Just go any DC and and open domain policy/ Under Security Settings /Local Policies/User Rights Assignment you'll see "Add workstations to domain". Set the right for only the securty groups u wanna give privilige to. and thats It..

Sorry, but I see that not working with domain sec. policy. I put that, and tested : no go still can add computer as user.

In GP results, it say that winning GPO is Default Domain Controllers Policy !  So I aded that in DC policy also. Now GPR say OK :-)

Windows 2008 R2, domain and forest 2008 R2 level.

Anyone know why is that ? Or from what version ?

The default domain controller policy is typically applied after the default domain policy and probably had authenticated users set by default in the add workstation to domain policy.    So being the last policy applied, it was the winner and had to be changed.