Restrict Administrators and Users from Joining Computers to the Do

Tutorials Win: Microsoft Windows Forum

We would like to restrict all users and administrators from joining computers
to the domain unless a computer account has already been created or "staged"
in the Active Directory Users and Computers tool.

We have a Windows 2003 domain.

Does anyone know how to do this?

Thank you for any and all comments clues...!
Top

Re: Restrict Administrators and Users from Joining Computers to the Do by Paul

Paul
Thu Aug 14 15:55:25 PDT 2008

You cannot restrict a domain administrator from doing anything. Tell them
what not to do and if they don't follow the directions pull their security,
it is that simple. For non-admins you can control who can add computers to
the domain.

Limit joins
http://support.microsoft.com/?id=243327

Also see Paul Williams article on this subject
http://www.msresource.net/knowledge_base/articles/info:_how_does_ms-ds-machineaccountquota_work.html

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"reef" <reef@discussions.microsoft.com> wrote in message
news:93FEB7F8-6144-45A2-888D-60CA74F72063@microsoft.com...
> We would like to restrict all users and administrators from joining
> computers
> to the domain unless a computer account has already been created or
> "staged"
> in the Active Directory Users and Computers tool.
>
> We have a Windows 2003 domain.
>
> Does anyone know how to do this?
>
> Thank you for any and all comments clues...!


Top

Re: Restrict Administrators and Users from Joining Computers to the Do by Meinolf

Meinolf
Fri Aug 15 00:20:05 PDT 2008

Hello reef,

You can not restrict domain admins to do anything. They can revert all settings
you specify because they are domain admins.

Normal users you can restrict. Jusst remove the authenticated users group
from the security policy setting "Add computers to the domain" under computer
configuration, windows settings, security settings, local policies, User
rights assignment. Add there only the allowed accounts you would have.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> We would like to restrict all users and administrators from joining
> computers to the domain unless a computer account has already been
> created or "staged" in the Active Directory Users and Computers tool.
>
> We have a Windows 2003 domain.
>
> Does anyone know how to do this?
>
> Thank you for any and all comments clues...!
>


Top

Re: Restrict Administrators and Users from Joining Computers to th by reef

reef
Tue Aug 19 07:46:01 PDT 2008

thank you. that makes sense.

"Paul Bergson [MVP-DS]" wrote:

> You cannot restrict a domain administrator from doing anything. Tell them
> what not to do and if they don't follow the directions pull their security,
> it is that simple. For non-admins you can control who can add computers to
> the domain.
>
> Limit joins
> http://support.microsoft.com/?id=243327
>
> Also see Paul Williams article on this subject
> http://www.msresource.net/knowledge_base/articles/info:_how_does_ms-ds-machineaccountquota_work.html
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "reef" <reef@discussions.microsoft.com> wrote in message
> news:93FEB7F8-6144-45A2-888D-60CA74F72063@microsoft.com...
> > We would like to restrict all users and administrators from joining
> > computers
> > to the domain unless a computer account has already been created or
> > "staged"
> > in the Active Directory Users and Computers tool.
> >
> > We have a Windows 2003 domain.
> >
> > Does anyone know how to do this?
> >
> > Thank you for any and all comments clues...!
>
>
>
Top

Re: Restrict Administrators and Users from Joining Computers to th by reef

reef
Tue Aug 19 07:47:01 PDT 2008

thank you sir

"Meinolf Weber" wrote:

> Hello reef,
>
> You can not restrict domain admins to do anything. They can revert all settings
> you specify because they are domain admins.
>
> Normal users you can restrict. Jusst remove the authenticated users group
> from the security policy setting "Add computers to the domain" under computer
> configuration, windows settings, security settings, local policies, User
> rights assignment. Add there only the allowed accounts you would have.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > We would like to restrict all users and administrators from joining
> > computers to the domain unless a computer account has already been
> > created or "staged" in the Active Directory Users and Computers tool.
> >
> > We have a Windows 2003 domain.
> >
> > Does anyone know how to do this?
> >
> > Thank you for any and all comments clues...!
> >
>
>
>
Top