Processing of the domain join:
In order to join a domain, the operating system needs a computer account. The operating system attempts to obtain its own computer account using the following methods:
- Search for an existing account with the same name as his and if a matching account is found (which is in Disable), then the operating system will try to take ownership of this account.
- By default the operating system will try to create a new computer account by using the user’s permissions.
- The computers try to use the permission called “Add workstations to domain” to create a new computer account in the default container of computers in active directory.
Explaining on permission of “Add workstations to domain”:
Its meaning that the end users will join their workstations to the Domain, I guess its to make it easier for IT managers. By default the DC server is assigned a user permission called “Add workstations to domain”.
Because Authenticated users is a member of this group, all domain users can use this permission. Every user and computer we create in Active Directory by default joins the “Authenticated users” group.
- By default, users whose assigned that permission, can join up to 10 new computers to the domain
- In this article I will show you 2 methods to cancel this setting.
- In addition, at the end of the article I will show you some commands related for joining computers to Domain, such as how to check whether regular users have joined new computers to the Domain, checking how many computers a user can join to the Domain and more.
Method 1:
- Open the ADSI Edit, ( Start > Run > adsiedit.msc)
- Right click on ADSI Edit –> “Connect to”
- In the window “Connection Settings” Choose on “Default naming context” under “select well known naming context” and click “OK”.
4. Right click on your domain –> Click on “Properties”.
5. Search for the value “ms-DS-MachineAccountQuota” change this value from 10 to 0 and click “OK”.
6. Now when the normal users will try to join new computers to the domain they will receive an error message that they do not have permission for join computer to domain.
Method 2:
- Open Group Policy Management Console
Start > Run > gpmc.msc - Click “Edit” on the policy “Default Domain Controllers Policy”
- Find the “User Rights Assignment” GPO on this path:
Computer Configuration → Policies → Windows Settings → Security Settings → User Rights Assignment
4. Click on “User Rights Assignment” remove the group “Authenticated users” and add group that you want to allow them join computers to domain.
PowerShell Commands:
- To check the how match computers will users can join to domain, run the following command:
get-addomain | select -exp DistinguishedName | get-adobject -prop ‘ms-DS-MachineAccountQuota’ | select -exp ms-DS-MachineAccountQuota- To find Which computers joined to domain by regular user, run the following command:
Get-ADComputer -fi {ms-DS-CreatorSID -like ‘*’}To check which computer joined by specific user, run the following command:
$sid = (get-aduser matan.siga).SID
Get-ADComputer -fi {ms-DS-CreatorSID -eq $sid}Instead the aduser “matan.siga” enter the username that you want check.
- To get an orderly table of all the users who added computers and how many computers they added, run the following script:
get-adcomputer -fi {ms-DS-CreatorSID -like ‘*’} -prop ms-DS-CreatorSID | group ms-DS-CreatorSID | %{
$ret = $_ | select Count,@{name=‘UserName’;Expression={$.Name}},@{name=‘ComputerNames’;Expression={$.Group | select -exp Name}}
# Try to resolve the SID into an account
try{
$.Name = $.Name.Translate([System.Security.Principal.NTAccount])
}catch{}
$ret
}This Article Was Written By Matan Sigavker.
