Re: joining a computer to a domain

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/08/04 

Date: Fri, 8 Oct 2004 14:30:10 -0500

Hi Paul.

That is correct except that it must be configured in Domain Controller
Security Policy for it to take effect in the domain. Since that user right
is defined in Domain Controller Security Policy it will not apply if changed
at the domain level. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/526.asp

"Paul Bergson" <pbergson@mnpower.com> wrote in message
news:efrWykVrEHA.1964@TK2MSFTNGP12.phx.gbl...
> Check out the domain policy
> Computer configuration
> Windows Settings
> Security Settings
> Local Policies
> User Rights Assignments
> Add workstations to domain
>
> I believe the default is to allow everyone to add is 10 and there is a reg
> setting that can be set for this as well. KB is flaky right now so I
> can't
> get at it.
>
> --
>
> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
> "Sandra L Miller" <slm@cs.arizona.edu> wrote in message
> news:#gzA0OVrEHA.3896@TK2MSFTNGP15.phx.gbl...
>> We have just discovered that students have the ability to add their
>> personal machines to the department domain. All they need is an
>> administrative account on their own machine and a valid account in
>> the domain. Student accounts in our domain are not administrative.
>> I had always been under the impression that a domain administrator
>> account was required to join the domain. Maybe this has changed
>> some time since we were running NT with NT servers (we now have XP
>> with 2003 servers).
>>
>> Anyway, my question is how can we prevent this? I couldn't find
>> anything in Group Policy. There must be a setting somewhere that
>> we can set to allow only domain administrators to join a computer
>> to the domain. Can anybody tell me how?
>>
>> Thank you,
>> Sandy
>>
>> --
>> Sandra L Miller
>> Windows System Administrator
>> Department of Computer Science
>> University of Arizona
>>
>> "The opinions or statements expressed herein are my own and should not be
>> taken as a position, opinion, or endorsement of the University of
> Arizona."
>
>

Relevant Pages

  • Re: More than one Administrator Account and Reinstalling OS on a D
    ... Some one has created a regular user account and may added that one to ... There is only one built-in administrator peer domain. ... FSMO roles are actually supposed to be transferred automatically during ... When you remove an existing Domain Controller within Active Directory, ...
    (microsoft.public.win2000.active_directory)
  • Re: More than one Administrator Account and Reinstalling OS on a DC
    ... First to deal with the administrator question, ... administrator account (the one that you can't remove from the administrators ... When you remove an existing Domain Controller within Active Directory, ... Controller you trying to demote is a holder of any of there's. ...
    (microsoft.public.win2000.active_directory)
  • Administrative Rights Lost on DC
    ... While implementing security policies on a domain and the domain controller, ... One other example of a problem I am having is the TS logon as administrator. ... The security policy shows that the "Deny Logon Interactively through ...
    (microsoft.public.windows.server.active_directory)
  • RE: Windows 2000 Server Can access Windows Update Site.
    ... Administrators and Services were already in the security policy. ... The user trying to do the updates is a Domain Administrator. ... Verify the Local Administrator and Service account are added to the ... >> All machines are on the SAME LAN. ...
    (microsoft.public.windowsupdate)
  • Re: Web Server 2003 File Sharing
    ... > I've tried removing Deny Everyone, but this doesn't seem to help. ... > Administrator account name. ... > the new administrator credentials ... >>Can anyone give me any pointers as to what Local Security Policy ...
    (microsoft.public.windows.server.general)
Loading