By default, in Active Directory, any authenticated user has the right to add up to 10 hosts to a domain, except for users in the "Domain Admins" and "Account Operators" groups, which have no limit. There are two scenarios for restricting the rights to add computers for all users:
1. Connect to the naming context using "adsiedit.exe" and change the value of the
"ms-DS-MachineAccountQuota" attribute from 10 to 0 in the properties of our domain. Now, except for the "Domain Admins" and "Account Operators" groups, no one can add a new one computer in Active Directory. To assign such rights to another created group, you will have to delegate new rights to the domain. This is done through the "dsa.msc" snap-in (right-click on the domain and select "Delegation of control ...").
2. Using "adsiedit.exe" we connect to the naming context and in the properties of our domain we reset the value of the attribute "ms-DS-MachineAccountQuota" to the state <not set>. Thus, we remove the limit on the number of computers that any user can add. But now you need to restrict users using the "Default Domain Controllers Policy" group policy. Open "Computer Configuration->Policies->Windows Configuration->Security Settings->Local Policies->User Rights Assignment->Add Workstations to Domain", delete the "Authenticated Users" group from there and add "Domain Admins", "Account Operators" and other necessary groups.
No comments:
Post a Comment