Sign in with
Sign up | Sign in
Your question

Restrict Who can a computer to the domain join Domain

Tags:
  • Policy
  • Default
  • Domain
  • Computers
  • Windows
Last response: in Windows 2000/NT
Share
April 22, 2005 10:49:16 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

How can I remove the right that users have to join our domain. I run a 2000
Domain in a school and at the moment everyone and his dog can join the domain
as the default is 10 machines per user i want to restrict this right to the
Domain admins group in the default domain policy!? New computers appear in
the default computers folder in Users and computers, can I set up a policy
that sends these objects (computers) directly to an OU which is preconfigured
with restrictions in addition to the default domain Policy??? I should know
the answer to this but am somewhat under stress at the moment. I know I,m
going to kick myself.... Many thanks in Advance.

More about : restrict computer domain join domain

Anonymous
April 22, 2005 3:35:18 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Have you tried setting the "Add workstations to domain" policy?

---------------------policy description from help
file ---------------------------
Add workstations to domain
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment

Description
Determines which groups or users can add workstations to a domain.

This policy is valid only on domain controllers. By default, any
authenticated user has this right and can create up to 10 computer accounts
in the domain.

Adding a computer account to the domain allows the computer to participate
in Active Directory-based networking. For example, adding a workstation to a
domain enables that workstation to recognize accounts and groups that exist
in Active Directory.

Default: Authenticated Users.

Note

a.. Users who have the Create Computer Objects permission on the Active
Directory computers container can also create computer accounts in the
domain. The distinction is that users with permissions on the container are
not restricted to the creation of only 10 computer accounts. In addition,
computer accounts that are created by means of "Add workstations to domain"
have Domain Administrators as the owner of the computer account, while
computer accounts that are created by means of permissions on the computers
container have the creator as the owner of the computer account. If a user
has permissions on the container and also has the "Add workstations to
domain" user right, the computer is added, based on the computer container
permissions rather than on the user right.
For more information, see:

Security Configuration Manager Tools in help.



--
Judith Herman
Microsoft Corporation
Server User Assistance - Group Policy
======================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================
"BoneMan" <BoneMan@discussions.microsoft.com> wrote in message
news:A02560EA-69BC-44C2-9B0D-048E6B9CCF08@microsoft.com...
> How can I remove the right that users have to join our domain. I run a
> 2000
> Domain in a school and at the moment everyone and his dog can join the
> domain
> as the default is 10 machines per user i want to restrict this right to
> the
> Domain admins group in the default domain policy!? New computers appear in
> the default computers folder in Users and computers, can I set up a
> policy
> that sends these objects (computers) directly to an OU which is
> preconfigured
> with restrictions in addition to the default domain Policy??? I should
> know
> the answer to this but am somewhat under stress at the moment. I know I,m
> going to kick myself.... Many thanks in Advance.


begin 666 note.gif
M1TE&.#EA"@`*`+/_`(V,C?__S/_,`/\%!?]=7<# P-/3T\# P(6%A0("`@``
M`````````````````````"'Y! $```4`+ `````*``H`0 0H$,AI#AD@Z)U*
AR1HB)(8'<N,7&EJG;JV P4GZ&@D2(";<>HF@,.B)```[
`
end
!