Wednesday, January 9, 2013

Prevent Users from joining Computers to AD

From a security standpoint, it would be pretty hard to control if normal domain users can join their machines to AD without authorization. By default, a user may join up-to 10 computers to AD.

Depending on your organizational security policy, users should only self-help themselves (or restricted to help-desk personnel) with proper authorization. To enforce such policy:

1) Limit the number of computers that a user can join domain from ten (10) to zero (0) by performing the following procedure. 
  • Run Adsiedit.msc on a domain controller as Domain Admin. Expand the Domain NC node. This node contains an object that begins with "DC=" and reflects the correct domain name. Right-click this object, and then click Properties.
  • In the Select which properties to view box, click Both. In the Select a property to view box, click ms-DS-MachineAccountQuota.
  • In the Edit Attribute box, change the number from 10 to 0.
  • Click Set, and then click OK.
2) Before joining any new computers to AD, enforce a pre-staging procedure. It means pre-creating the computer objects on AD before joining the computers to domain. Do note that the computer name of pre-created object should match the local computer name of the new machine.
  • To conduct pre-staging, fire-up "AD Users and Computers Console", go to the OU that the pre-staging computer objects should reside.
  • Click "New" and "Computer". Name the object. Click on the "Change" button as follows to the delegated AD group for help-desk personnel or to the individual self-help user account.

  • Inform the delegated users to join the new computer according to the object name. Upon successful joining, you should be able to view the computer properties, such as the Operating System versions.

6 comments:

  1. This is a very good tip particularly to those new to the blogosphere. Simple but very accurate information… Thank you for sharing this one. A must read post! vectorvines.webgarden.com

    ReplyDelete
  2. I’m really enjoying the design and layout of your blog. It’s a very easy on the eyes which makes it much more pleasant for me to come here and visit more often. Did you hire out a developer to create your theme? Great work! My Blog http://megaworld.beep.com/

    ReplyDelete
  3. Oh my goodness! a tremendous article dude. Thank you Nevertheless I am experiencing concern with ur rss . Don’t know why Unable to subscribe to it. Is there anybody getting equivalent rss problem? Anybody who is aware of kindly respond. Thnkx My Blog http://http://mclubarena.wallinside.com

    ReplyDelete
  4. This post provides clear idea to opt for the latest people of blogging, that really how you can do blogging and site-building. My Blog https://theatrepass.puzl.com/

    ReplyDelete