Prevent users from joining Computers to domain?

B

Barkley Bees

I am planning to rework how our users join PC's to our domain for
security/management purposes. I know that by default users can join up to 10
workstations to the domain without any special permissions required. I am
guessing that as a first step I would need to use ADSI Edit on the PDC and
change the "ms-DS-MachineAccountQuota" value to "0". This would then allow
only the Account Operators group (and higher) to join PC's to the domain.

Ultimately, we would like the process to be as follows:

1 - User requests to helpdesk to join a PC to the domain (user cannot join
the PC to the domain on their own).

2 - Helpdesk creates the Computer object with specified name in AD and
assigns domain join permissions to the specific user.
("the following user or group can join this computer to a domain").

3 - User then joins the Computer with the same name to the domain.

I would appreciate any feedback and/or sound advice on this. Thanks very
much.
 
B

Barkley Bees

Thanks for your reply Jorge. Very informative blog post. That said, would
there be anything particularly wrong with the process I outlined below? I
ask because management wants the process to be as I outlined below:

Use ADSI Edit on the PDC and change the "ms-DS-MachineAccountQuota" value to
"0" so only Account Operators and higher can join computers to the domain.

1 - User requests to helpdesk to join a PC to the domain (user cannot join
the PC to the domain on their own).

2 - Helpdesk creates the Computer object with specified name in AD and
assigns domain join permissions to the specific user. ("the following user
or group can join this computer to a domain").

3 - User then joins the Computer with the same name to the domain.


"Jorge de Almeida Pinto [MVP - DS]"
 
J

Jorge de Almeida Pinto [MVP - DS]

no, not really. The only thing that I do not like is confguring individual
permissions on computer objects. It sounds like you want to give a bit of
the work to the user. That's OK with me. However I would do it a bit
different. Same idea, but a bit different

What you could do is on the OU configure the permissions to join a computer
to the domain. see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

when a user requests to join his computer, he/she needs to give you a
computer name so that you can pre-create the computer object. As soon as the
object has been pre-created, put the users account in the JOIN-GROUP. Tell
him/her to do this within X days. After that remove him/her frmo that
JOIN-group again.

adjusting ms-DS-MachineAccountQuota to 0 or removing auth users from that
user right as I mention in the same post is basically the same


--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Barkley Bees said:
Thanks for your reply Jorge. Very informative blog post. That said, would
there be anything particularly wrong with the process I outlined below? I
ask because management wants the process to be as I outlined below:

Use ADSI Edit on the PDC and change the "ms-DS-MachineAccountQuota" value
to "0" so only Account Operators and higher can join computers to the
domain.

1 - User requests to helpdesk to join a PC to the domain (user cannot
join the PC to the domain on their own).

2 - Helpdesk creates the Computer object with specified name in AD and
assigns domain join permissions to the specific user. ("the following user
or group can join this computer to a domain").

3 - User then joins the Computer with the same name to the domain.


"Jorge de Almeida Pinto [MVP - DS]"
have a look at:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Joining computer to my domain 2
Users can add computers to the domain 3
Joining computer to domain 5
XP problem joining 2k domain RPC not available 5
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Script that adds domain grp to local Admn group when joining domai 5
joining a domain 1
Joining a new domain 3

Top