Unauthorized user creating Computer accounts on AD

R

Richard

Here's the deal: I work as a sysadmin for company where a
user showed me how he was able to create a computer
account on AD. Based on what he's told me, he's always
been able to but he doesn't know why and how and no one
else has the ability.

He's neither a member of Enterprise Admin, Domain Admin,
or Account Operators group.

He's creating it where it's going into the default
Computer Container in the root of the Active Directory and
his account was not delegated any control.

I checked his group membership and none of the groups he's
a member of are within the administrative groups named
above.

I verified that he does not have admin rights in the sense
that he could not access an administrative share on either
the network or servers.

What's going on???!!!
 
R

Richard

To clarify, I meant he does not have domain admin rights
when trying to access any other computers, including
servers' administrative shares.
 
G

Guest

This is not true. I've never seen this to be true. Plus,
this user has created more than just 10 computer objects
on the domain.
 
J

Johan Arwidmark

Windows 2000 grants the "Add workstations to domain" user right to the
Authenticated Users group by default. This means any authenticated
user can create up to 10 computer accounts in the domain. This is also
valid for Windows Server 2003.

Can be solved by:
1. Pre-Create the computer account
2. Delegating permissions to create computer accounts in an OU
3. Change the ms-DS-MachineAccountQuota attribute value using ldp or
adsiedit

Reference:

Domain Users Cannot Join Workstation or Server to a Domain
http://support.microsoft.com/?id=251335

However, some customers have reported that they actually could create
more than 10 before hitting this limit, but I have not beeing able to
verify that....

regards
Johan Arwidmark

Windows User Group - Nordic
http://www.wug-nordic.net
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Cannot delete User Accounts 2
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Unable to log on with a domain account 3
Users can add computers to the domain 3
Delegation error !!! Access Denied 2
Prevent from Creating Computer Objects 7
AD and Netware group membership 3
Restrict view of AD 9

Top