Re: Limiting Ability to Join Domain
From: Scott Harding - MS MVP (scrockel_at_**NO_SPAM**hotmail.com)
Date: 08/11/04
- Next message: Miha Pihler: "Re: Limiting Ability to Join Domain"
- Previous message: Miha Pihler: "Re: Limiting Ability to Join Domain"
- In reply to: Miha Pihler: "Re: Limiting Ability to Join Domain"
- Next in thread: Miha Pihler: "Re: Limiting Ability to Join Domain"
- Reply: Miha Pihler: "Re: Limiting Ability to Join Domain"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 11 Aug 2004 15:40:40 -0700
You have to enable it though?!?! I just looked at mine and it is not defined
and there are no groups in it. The article also states this applies to NT4
but that is certainly not true without giving the user right to add
workstations to the domain. It states "When this privilege is enabled" it
gives the Authenticated Users the right but I don't think it will work
without it being enabled. I'll have to try it.....
-- Scott Harding MCSE, MCSA, A+, Network+ Microsoft MVP - Windows NT Server "Miha Pihler" <mihap-news@atlantis.si> wrote in message news:%23LxTzM$fEHA.2524@TK2MSFTNGP09.phx.gbl... > Hi Scott, > > this is by design since Windows 2000. They can add maximum 10 workstations > by default. > > ********** > Windows 2000 grants the "Add workstations to domain" privilege to the > Authenticated Users group by default. When this privilege is enabled, > authenticated users can bypass the access control list (ACL) check for up to > a predefined maximum value. To prevent misuse, the maximum number of machine > accounts any authenticated user can join is 10 by default. > ********** > > http://support.microsoft.com/default.aspx?scid=kb;en-us;251335&Product=win2000 > > Mike > > "Scott Harding - MS MVP" <scrockel@**NO_SPAM**hotmail.com> wrote in message > news:uhkZ288fEHA.3536@TK2MSFTNGP12.phx.gbl... > > A regular Domain User should not have the ability to Add Computers to a > > Domain.?!?! Do you give them any group membership that is too elevated? > > > > -- > > Scott Harding > > MCSE, MCSA, A+, Network+ > > Microsoft MVP - Windows NT Server > > > > "Miha Pihler" <mihap-news@atlantis.si> wrote in message > > news:eaB4fH8fEHA.2324@TK2MSFTNGP10.phx.gbl... > > > Hi Ben, > > > > > > Only users that have valid username and password can add their PCs to > > domain > > > and they can only do this task 10 times. Why would these be bad > security? > > > You already decided to trust users as soon as you gave them valid > username > > > and password in domain. If they add their PC to domain they don't have > any > > > more or less permissions just their work is made a bit easier. > > > > > > Since it is _your_ domain you have option to control every computer that > > is > > > joined to domain. You can limit what such computers can or can't do > using > > > group policy. You can also push any service pack or patches once such > > > computer is in domain and install AV etc... So security is in _your_ > > > hands... > > > > > > Domain Users Cannot Join Workstation or Server to a Domain > > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;251335 > > > > > > Look at Method 3 and set the number from 10 to 0. > > > > > > Mike > > > > > > "Ben" <anonymous@discussions.microsoft.com> wrote in message > > > news:456c01c47fbf$244fd7f0$a401280a@phx.gbl... > > > > I've just discovered that all users have the permissions > > > > to join a computer to our domain. How do I make that > > > > Administrator accounts only have this permission? It is > > > > bad security to have anyone able to join a computer to > > > > the domain. Thanks for any help. > > > > > > > > Ben > > > > > > > > > > > >
- Next message: Miha Pihler: "Re: Limiting Ability to Join Domain"
- Previous message: Miha Pihler: "Re: Limiting Ability to Join Domain"
- In reply to: Miha Pihler: "Re: Limiting Ability to Join Domain"
- Next in thread: Miha Pihler: "Re: Limiting Ability to Join Domain"
- Reply: Miha Pihler: "Re: Limiting Ability to Join Domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
