Local Security Policy and DCs

B

Ben

I've just inherited a new AD/ Domain.
Currently there are 2 DCs (A and B)
DC A has no local security policy defined, no Domain
controller security policy defined, and no Domain security
policy defined (all default)
DC B has some items defined in Local security policy, but
no domain controller policy or domain security policy
defined (all default).
Question:
1. Since some users (non-administrators) exhibit the
ability to add workstations to the domain while other
users (also non-administrators) are denied that ability
could one assume that is due to users being authenticated
by domain controllers with differing local security
policies as outlined above (DC A does not allow, while DC
B does allow)?

2. If the local security policy defined on DC B
(specifically the "add workstations to domain" policy set
to administrators and authenticated users) existed before
the server was promoted to a DC would that policy be
inherited or assumed into the entire AD/ Domain policy as
a whole allowing all authenticated users to add
workstations?
 
D

Danny Sanders

1. Since some users (non-administrators) exhibit the
ability to add workstations to the domain while other
users (also non-administrators) are denied that ability
could one assume that is due to users being authenticated
by domain controllers with differing local security
policies as outlined above (DC A does not allow, while DC
B does allow)?
Click to expand...


Regular "users" can, by default, add up to 10 computers to the domain. Maybe
the users that can't add workstations to the domain have reached their 10
computer limit.

2. If the local security policy defined on DC B
(specifically the "add workstations to domain" policy set
to administrators and authenticated users) existed before
the server was promoted to a DC would that policy be
inherited or assumed into the entire AD/ Domain policy as
a whole allowing all authenticated users to add
workstations?
Click to expand...

When joined to the domain the domain policy prevails. Once again, a user can
add 10 workstations to the domain by default. No policy has to be enacted.

hth
DDS W 2k MVP MCSE
 
G

Guest

Danny, thanks for the response...

I've just checked with the users in question, and:
The user who can add workstations has added more than 10
and the user who can't has tried but never been able to
add a workstation. In this case do you suppose it's
possible that the local security policy on the second DC
is playing a role in this odd behavior?

Thanks,
Ben
 
D

Danny Sanders

No.
The local security policy will never over ride the domain policy.
Is it possible the users know each other's login account and password or
that the user that can add more workstations added some under another
account?

I have seen a reg hack that you can change the number of computers you can
add to the domain but I *think* the change applies to all authenticated
users.
See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;251335&Product=win2000

hth
DDS W 2k MVP MCSE
 
B

Ben

Thanks....
I've not seen a reg hack but using ADSI tool it is
possible to change the DC attribute ms-ds-
MachineAccountQuota which by default is 10. That change
(to 0) is the reason for posts as it won't likely be
approved unless I can explain the current situation. I
would assume to accomplish the goal of allowing users NOT
to add any workstations I would need to make the change
above as well as reconcile the current policy or
explicitly define otherwise using the domain level policy
editors.

I know that the users referenced are not sharing usernames
and passwords or using any other accounts. Honestly the
reason I posted is because I can find absolutely no other
explanation for the current behavior.

My best guess is that the local policy was assumed when
the machine was promoted to a DC and since the user rights
assignment was never explicitly assigned at the domain
level it just doesn't show when you open the domain
security policy editor (or the domain controller security
policy editor). In addition since the local policy is
only different on one DC I figure that maybe that policy
is only really assigned when a user is authenticated by
that particular DC.
 
B

Buz [MSFT]

Hello Ben,

What is the error the clients get when trying to add workstations to the
domain?

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
B

Buz [MSFT]

Here is something you may want to go through:

251335 Domain Users Cannot Join Workstation or Server to a Domain
http://support.microsoft.com/?id=251335

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Incorrect GPResult result 3
local security policy does not get applied 2
Local Security Policy on a DC 6
Local admin accounts gone haywire 8
DC GPO - password policy not enforced 6
Default Domain Policy 2003 7
New GPO are failing 4
GPRESULT error - Failed to open key with 2 1

Top