By default Windows Server 2003 and upwards allows any authenticated user of a domain to add up to 10 machines without elevated user privileges to a domain, that is users who are not members of any elevated security groups such as domain admins or account operator groups. Because computer objects are security principals it is extremely problematic where security is concerned, if a user were to add a computer to the domain they would be able to manage the properties of that computer. Additionally, computer objects are added the Computer container by default within the Active Directory Users and Computers snap-in unless they are prestaged or redirected to a specified organisational unit. This means if you have not made any configurations to the default AD DS set up a computer added does not inherit any group policy settings that you have created to match your company’s security practices against.
Having just come across a loophole as such I thought I would share the knowledge on how to stop users adding machines to a domain without administrator rights.
The solution to stop authenticated users adding machines to a domain is a simple one and gives you, the IT guru more control over the network. Follow the steps below to close this loophole:-
- Log onto your primary domain controller.
- Launch the ADSI Edit console from the Administrative tools folder on the programs menu
- Right click on the domain controller folder the folder should be named something like this DC=your domain, DC=com
- Click Properties
- Scroll down the attribute list until you see MS-DS-machineaccountquota, the value 10 should be the default value.
- Click edit and then enter ‘0’, this will stop authenticated users adding machines to the network but allow elevated users such as domain admins to add computers.
- Click OK to close the window.
Tip 1 – It is a Microsoft best practice that computer objects are prestaged, this means create the computer object in AD Users and Computers before they are joined to the domain, that way the computer is in the relevant container and inherits policies at the next refresh or logon.
Tip 2 - Redirecting computers which are joined to the domain if they have not been prestaged is also a best practice as you can apply a group policy to the redirected container. To redirect computers from the default Computer container to a desired one first open up command prompt and then enter the following command redircmp “OU=Clients,DC=contoso,DC=com“ <– (the location of the OU you want to redirect it to).