Users can add computers to the domain

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello:

Something interesting happened the other day. A new helpdesk tech said he
could join a new computer to the domain without using a domain admin
account. I verified it with him and he can. His account is a plain account
that does not have domain admin or enterprise admin rights. I looked at it
a little closer and noticed on the Security tab he was in quite a few
groups. From what I know these groups should not allow a user to join a
computer to the domain.

Does anyone have any idea.

Harrison Midkiff
 
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Harrison,

Thanks for posting!

I am sorry for the delayed response due to weekend. Please understand that
the newsgroups are staffed weekdays by Microsoft Support professionals to
answer your systems and applications questions. Our goal is to provide 24
hour response to all questions. Your understanding is greatly appreciated!

I understand that you wonder why a user which does not have domain admin
privilege can join a new computer into domain. If I have misunderstood your
concerns, please feel free to let me know.

Based on my experience, by default, Windows 2000/2003 allows authenticated
users to join ten machine accounts to the domain. Windows 2000/2003 grants
the "Add workstations to domain" privilege to the Authenticated Users group
by default. You may refer to the following policy.

Computer Configuration | Windows Settings | Security Settings | User Rights
Assignment | "Add workstations to domain"

Some more information for your reference:
243327 Default Limit to Number of Workstations a User Can Join to the Domain
http://support.microsoft.com/?id=243327

251335 Domain Users Cannot Join Workstation or Server to a Domain
http://support.microsoft.com/?id=251335

Hope the information helps. If there is anything unclear, please feel free
to let me know. I am glad to be of assistance.

Thanks & Regards,

Jason Tan
Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

============================================================================
========================

Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.

This and other support options are available here:

BCPS:
https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469

Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/

If you are outside the United States, please visit our International
Support page:
http://support.microsoft.com/common/international.aspx
============================================================================
==========================

This posting is provided "AS IS" with no warranties, and confers no rights.

Newsgroup Web Interface Upgrade

Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.

Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
4662




--------------------
| From: "Harrison Midkiff" <HMidkiff@aviinc.com>
| Subject: Users can add computers to the domain
| Date: Sun, 11 Sep 2005 21:21:06 -0400
| Lines: 15
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| Message-ID: <uOa1#gztFHA.3720@TK2MSFTNGP14.phx.gbl>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: 204-120.8-67.tampabay.res.rr.com 67.8.120.204
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.win2000.active_directory:33402
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Hello:
|
| Something interesting happened the other day. A new helpdesk tech said
he
| could join a new computer to the domain without using a domain admin
| account. I verified it with him and he can. His account is a plain
account
| that does not have domain admin or enterprise admin rights. I looked at
it
| a little closer and noticed on the Security tab he was in quite a few
| groups. From what I know these groups should not allow a user to join a
| computer to the domain.
|
| Does anyone have any idea.
|
| Harrison Midkiff
|
|
|
 
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Jason:

Thanks. I recall this now that you state it.

Harrison Midkiff
"Jason Tan (MSFT)" <v-jasont@online.microsoft.com> wrote in message
news:dIcamR2tFHA.3160@TK2MSFTNGXA01.phx.gbl...
> Hi Harrison,
>
> Thanks for posting!
>
> I am sorry for the delayed response due to weekend. Please understand that
> the newsgroups are staffed weekdays by Microsoft Support professionals to
> answer your systems and applications questions. Our goal is to provide 24
> hour response to all questions. Your understanding is greatly appreciated!
>
> I understand that you wonder why a user which does not have domain admin
> privilege can join a new computer into domain. If I have misunderstood
> your
> concerns, please feel free to let me know.
>
> Based on my experience, by default, Windows 2000/2003 allows authenticated
> users to join ten machine accounts to the domain. Windows 2000/2003 grants
> the "Add workstations to domain" privilege to the Authenticated Users
> group
> by default. You may refer to the following policy.
>
> Computer Configuration | Windows Settings | Security Settings | User
> Rights
> Assignment | "Add workstations to domain"
>
> Some more information for your reference:
> 243327 Default Limit to Number of Workstations a User Can Join to the
> Domain
> http://support.microsoft.com/?id=243327
>
> 251335 Domain Users Cannot Join Workstation or Server to a Domain
> http://support.microsoft.com/?id=251335
>
> Hope the information helps. If there is anything unclear, please feel free
> to let me know. I am glad to be of assistance.
>
> Thanks & Regards,
>
> Jason Tan
> Microsoft Online Partner Support
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> ============================================================================
> ========================
>
> Business-Critical Phone Support (BCPS) provides you with technical phone
> support at no charge during critical LAN outages or "business down"
> situations. This benefit is available 24 hours a day, 7 days a week to all
> Microsoft technology partners in the United States and Canada.
>
> This and other support options are available here:
>
> BCPS:
> https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
>
> Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/
>
> If you are outside the United States, please visit our International
> Support page:
> http://support.microsoft.com/common/international.aspx
> ============================================================================
> ==========================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> Newsgroup Web Interface Upgrade
>
> Please complete a one-time registration process on your first visit to the
> Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the
> secure
> code mspp2005 when prompted. This secure code will be valid for 6 months
> after which you will need to update your registration by entering the new
> secure code. We will post announcements in the newsgroups prior to
> expiration. Once you have entered the secure code mspp2005 , you will be
> able to update your profile and access the the partner newsgroups. Please
> update your Favorites link to the newsgroups web page, your current link
> will redirect until November 1, 2005.
>
> Please post any comment, questions or concerns to the
> microsoft.private.directaccess.partnerfeedback newsgroup. For more
> information, please go to:
> https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
> 4662
>
>
>
>
> --------------------
> | From: "Harrison Midkiff" <HMidkiff@aviinc.com>
> | Subject: Users can add computers to the domain
> | Date: Sun, 11 Sep 2005 21:21:06 -0400
> | Lines: 15
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | X-RFC2646: Format=Flowed; Original
> | Message-ID: <uOa1#gztFHA.3720@TK2MSFTNGP14.phx.gbl>
> | Newsgroups: microsoft.public.win2000.active_directory
> | NNTP-Posting-Host: 204-120.8-67.tampabay.res.rr.com 67.8.120.204
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.win2000.active_directory:33402
> | X-Tomcat-NG: microsoft.public.win2000.active_directory
> |
> | Hello:
> |
> | Something interesting happened the other day. A new helpdesk tech said
> he
> | could join a new computer to the domain without using a domain admin
> | account. I verified it with him and he can. His account is a plain
> account
> | that does not have domain admin or enterprise admin rights. I looked at
> it
> | a little closer and noticed on the Security tab he was in quite a few
> | groups. From what I know these groups should not allow a user to join a
> | computer to the domain.
> |
> | Does anyone have any idea.
> |
> | Harrison Midkiff
> |
> |
> |
>
 
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Harrison,

Thank you for your prompt reply! I am glad to hear the information helps.
If you have any other questions or concerns, please feel free to let us
know. Thanks for your time! 🙂

Have a great day!

Thanks & Regards,

Jason Tan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
| Reply-To: "Harrison Midkiff" <HMidkiff@aviinc.com>
| From: "Harrison Midkiff" <HMidkiff@aviinc.com>
| References: <uOa1#gztFHA.3720@TK2MSFTNGP14.phx.gbl>
<dIcamR2tFHA.3160@TK2MSFTNGXA01.phx.gbl>
| Subject: Re: Users can add computers to the domain
| Date: Mon, 12 Sep 2005 08:24:10 -0400
| Lines: 136
| Organization: Audio Visual Innovations, Inc.
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| Message-ID: <ehTRiT5tFHA.256@tk2msftngp13.phx.gbl>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: 208.5.55.190
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.win2000.active_directory:33411
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Jason:
|
| Thanks. I recall this now that you state it.
|
| Harrison Midkiff
| "Jason Tan (MSFT)" <v-jasont@online.microsoft.com> wrote in message
| news:dIcamR2tFHA.3160@TK2MSFTNGXA01.phx.gbl...
| > Hi Harrison,
| >
| > Thanks for posting!
| >
| > I am sorry for the delayed response due to weekend. Please understand
that
| > the newsgroups are staffed weekdays by Microsoft Support professionals
to
| > answer your systems and applications questions. Our goal is to provide
24
| > hour response to all questions. Your understanding is greatly
appreciated!
| >
| > I understand that you wonder why a user which does not have domain admin
| > privilege can join a new computer into domain. If I have misunderstood
| > your
| > concerns, please feel free to let me know.
| >
| > Based on my experience, by default, Windows 2000/2003 allows
authenticated
| > users to join ten machine accounts to the domain. Windows 2000/2003
grants
| > the "Add workstations to domain" privilege to the Authenticated Users
| > group
| > by default. You may refer to the following policy.
| >
| > Computer Configuration | Windows Settings | Security Settings | User
| > Rights
| > Assignment | "Add workstations to domain"
| >
| > Some more information for your reference:
| > 243327 Default Limit to Number of Workstations a User Can Join to the
| > Domain
| > http://support.microsoft.com/?id=243327
| >
| > 251335 Domain Users Cannot Join Workstation or Server to a Domain
| > http://support.microsoft.com/?id=251335
| >
| > Hope the information helps. If there is anything unclear, please feel
free
| > to let me know. I am glad to be of assistance.
| >
| > Thanks & Regards,
| >
| > Jason Tan
| > Microsoft Online Partner Support
| >
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| >
| >
============================================================================
| > ========================
| >
| > Business-Critical Phone Support (BCPS) provides you with technical phone
| > support at no charge during critical LAN outages or "business down"
| > situations. This benefit is available 24 hours a day, 7 days a week to
all
| > Microsoft technology partners in the United States and Canada.
| >
| > This and other support options are available here:
| >
| > BCPS:
| >
https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
| >
| > Others:
https://partner.microsoft.com/US/technicalsupport/supportoverview/
| >
| > If you are outside the United States, please visit our International
| > Support page:
| > http://support.microsoft.com/common/international.aspx
| >
============================================================================
| > ==========================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > Newsgroup Web Interface Upgrade
| >
| > Please complete a one-time registration process on your first visit to
the
| > Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the
| > secure
| > code mspp2005 when prompted. This secure code will be valid for 6 months
| > after which you will need to update your registration by entering the
new
| > secure code. We will post announcements in the newsgroups prior to
| > expiration. Once you have entered the secure code mspp2005 , you will be
| > able to update your profile and access the the partner newsgroups.
Please
| > update your Favorites link to the newsgroups web page, your current link
| > will redirect until November 1, 2005.
| >
| > Please post any comment, questions or concerns to the
| > microsoft.private.directaccess.partnerfeedback newsgroup. For more
| > information, please go to:
| >
https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
| > 4662
| >
| >
| >
| >
| > --------------------
| > | From: "Harrison Midkiff" <HMidkiff@aviinc.com>
| > | Subject: Users can add computers to the domain
| > | Date: Sun, 11 Sep 2005 21:21:06 -0400
| > | Lines: 15
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| > | X-RFC2646: Format=Flowed; Original
| > | Message-ID: <uOa1#gztFHA.3720@TK2MSFTNGP14.phx.gbl>
| > | Newsgroups: microsoft.public.win2000.active_directory
| > | NNTP-Posting-Host: 204-120.8-67.tampabay.res.rr.com 67.8.120.204
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.win2000.active_directory:33402
| > | X-Tomcat-NG: microsoft.public.win2000.active_directory
| > |
| > | Hello:
| > |
| > | Something interesting happened the other day. A new helpdesk tech
said
| > he
| > | could join a new computer to the domain without using a domain admin
| > | account. I verified it with him and he can. His account is a plain
| > account
| > | that does not have domain admin or enterprise admin rights. I looked
at
| > it
| > | a little closer and noticed on the Security tab he was in quite a few
| > | groups. From what I know these groups should not allow a user to
join a
| > | computer to the domain.
| > |
| > | Does anyone have any idea.
| > |
| > | Harrison Midkiff
| > |
| > |
| > |
| >
|
|
|
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom