Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AD allows domain users to join 10 PC's to domain?

Status
Not open for further replies.
achilleus

achilleus

IS-IT--Management
Joined
Oct 3, 2001
Messages
351
Location
US
Thanks in advance for any help you can offer.

I read in a tech type email that, by default, AD allows domain users to join up to 10 computers to the Windows 2000 domain. Meaning, that each domain user has permissions to add up to 10 machines to the domain?

And that granting the "Add workstations to domain" privilege to the Authenticated users group allows users to bypass the ACL; but only for 10 machines?

Is this true?

AJ
SA
HS
 
Sort by date Sort by votes
Well, I did passed the Directory Design exam 70-219, and no where did I ever come across this in my studies. What I know for sure is that you can delegate control to a user so that he/she can join machines to the network. There is not a limit on this. By default, only administrators and those with admin previliges can join computers to a network. And like I said before, you can delegate control to a user to carry out such function. It wouldn't hurt to perform this experiment and see if it work.

MCP 2000
 
Upvote 0 Downvote
Thanks for the response kweh4. I believed this was the case also. The email that stated otherwise was from TechRepublic (one of their daily tech emails). I have never seen this anywhere else.

Here is the actual text of the email:

WINDOWS 2000 SERVER

ADD USERS TO THE DOMAIN

By default, Windows 2000 Active Directory allows domain users to join up to 10 computers to the Windows 2000 domain. Granting the Add Workstations
To Domain privilege to the Authenticated Users group allows all domain
users to bypass the access control list (ACL) check--but only for 10
machines.

You can change this maximum number either with a script or by using the Windows 2000 Support Tools' ADSI Edit utility. To use the ADSI Edit utility to change the maximum number, follow these steps:

1. Install the Support Tools from the Support\Tools folder on the Windows 2000 Server CD-ROM.

2. Run the ADSI Edit utility from the Windows 2000 Support Tools\Tools folder on the Start menu.

3. Highlight and right-click the domain name and select Properties.

4. In the Select A Property To View box, select Ms-DS-MachineAccountQuota.

5. The value entered is 10. Change it to 0 to prevent users from joining computers to a domain, or enter any other integer value to change the number of computers users can join.

6. Click OK to save your changes and close the dialog box, and then close the ADSI Edit utility.

You can prevent users from joining new computers to the domain by removing the Add Workstations To Domain privilege from the Authenticated
Users group.

AJ
SA
HS
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question Question
Domain join from wifi connected laptop
Replies
4
Views
1K
goombawaho
goombawaho
DTGMI
  • Locked
  • Question Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
797
DTGMI
DTGMI
MattM1975
  • Locked
  • Question Question
Domain Admin Logon
Replies
2
Views
560
ADB100
ADB100
rzammit82
  • Locked
  • Question Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
1K
suncit
suncit
microsGuy16
  • Locked
  • Question Question
Can not copy files to Mapped drive
Replies
0
Views
1K
microsGuy16
microsGuy16

Part and Inventory Search

Sponsor

Back
Top