<!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-1610611985 1107304683 0 0 415 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-520092929 1073786111 9 0 415 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page WordSection1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} --> Hi all, I want to make sure that only members of "Domain Admins" group and a spcific group "Server Installers" can join computers to domain. I changed the setting "Add workstation to domain" from "not defined" to "Domain Admins and Server Installers" in a GPO and linked this GPO to the domain. The permissions on the security tab of the container "Servers" in Active Directory allow authenticated users to read from this container and not to create computer accounts in this container. However, the authenticated users who are only member in "Domain Users" group are allowed to join servers to domain! What do I miss here? Kind regards, Mavrickf3

This is a link about how to allow an ordinary user to add a computer to a domain: http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx It can be applied on groups. Best regards.

Thank you for your reply. I have already done what they explain on the website! By default the authenticated users are allowed to create up to 10 computer account in Active Directory. What I want to do is to avoid this and block authenticated users from creating and joining computers to domain. Kind regards,

In the default domain controllers policy or equivalent remove the "Authenticated users" from: computer configuration, windows settings, security settings,local policies,user rights assignment "Add workstations to the domain" There add only the allowed admins. Best regards

Thank you for your reply. I have already done what they explain on the website! By default the authenticated users are allowed to create up to 10 computer account in Active Directory. What I want to do is to avoid this and block authenticated users from creating and joining computers to domain. Kind regards, Hello, set the amount of machines from 10 to 0 according to: http://support.microsoft.com/kb/243327/en-us That's it.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hello Mavrickf3, Do you refer to Workstation and Server only? If so, please refer to the following KB. Domain Users Cannot Join Workstation or Server to a Domain http://support.microsoft.com/kb/251335 Brent Hu,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

After doing many tests using a combination of all the proposed solutions for this thread, I managed to obtain the desired result by doing: 1. Modify the MachineAccountQuota 2. Remove the "Authenticated Users" from the "Default Domain Controllers Policy" 3. <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-1610611985 1107304683 0 0 415 0;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-520081665 -1073717157 41 0 66047 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0mm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:9.0pt; mso-bidi-font-size:10.0pt; font-family:"Tahoma","sans-serif"; mso-fareast-font-family:"Times New Roman"; mso-bidi-font-family:"Times New Roman";} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page WordSection1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} --> Delegate the "Join to domain". When you create a new computer object in an OU, you have the option to grant the permission, "Join to domain" to a user or to a group in the "New Object - Computer" page. After doing these modifications, only the group/user who is granted the permission "Join to domain", can join computers to domain. Thank you all for your answers! Kind regards, Mavrickf3

Hello Mavrickf3, Thank you for your sharing. Brent Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.