+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 23 of 23
Windows Server 2000/2003 Thread, Users being able to add 10 computers to a domain in Technical; Well, thanks all, and I'm glad I brought up an issue which other people now are aware of! and who ...
  1. #16
    Ben-BSH's Avatar
    Join Date
    Jun 2009
    Location
    UK
    Posts
    200
    Thank Post
    88
    Thanked 29 Times in 21 Posts
    Rep Power
    21
    Well, thanks all, and I'm glad I brought up an issue which other people now are aware of!

    and who said Microsoft courses were useless!

  2. #17
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by maniac View Post
    OK, it's a design flaw then. Which ever way you look at it, it's a little bit daft.

    I feel it is as well but as I say MS had a reason for it (I'll try to find the article) and this reason prevented them from changing it in 2003 and 2008 server (or did they finally change it in 2008).

    I seem to remember the rational was that they didn't feel that adding a computer account presented an issue as their user account would still have policy and restrictions applied, they also couldn't move the computer account from the default computers container to receive software or station specific settings as they wouldn't have that right. I'm assuming that they weren't factoring in virus issues.
    Last edited by cookie_monster; 4th November 2009 at 12:54 PM.

  3. #18

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,619
    Thank Post
    1,231
    Thanked 776 Times in 673 Posts
    Rep Power
    235
    Quote Originally Posted by cookie_monster View Post
    Yep I remember reading an interview with an MS employee who worked on the AD design team. They just decided on a number out of the blue, he had a reason for it that I can't remember now but I remember laughing at it.
    Hang on, sudden thought: does a user with a Windows XP Home or similar machine connecting to a network file share count as "joining" a domain?

    --
    David Hicks

  4. #19
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,424
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    Quote Originally Posted by dhicks View Post
    Hang on, sudden thought: does a user with a Windows XP Home or similar machine connecting to a network file share count as "joining" a domain?

    --
    David Hicks
    If they authenticate, then a CAL is probably required.

  5. Thanks to DMcCoy from:

    dhicks (5th November 2009)

  6. #20
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34
    Surely user would need to be local Admin on the PC to add it to domain.

    The way I understood this setup was that although user is allowed to add a computer to the domain, the computer account would have to already have been created. Has anyone actually tested this?

  7. Thanks to ajbritton from:

    dhicks (5th November 2009)

  8. #21
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by dhicks View Post
    Hang on, sudden thought: does a user with a Windows XP Home or similar machine connecting to a network file share count as "joining" a domain?

    --
    David Hicks

    I don't think XP Home is allowed by licence to access a domain so by doing it you would be breaking the licence terms anyway. (Don't quote me on that you have to check the EULA)

  9. #22

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    This has been a 'feature' since Server 2003, so ironically I think 2000 Server (in this situation) is actually more secure by default. I agree the default value should be zero as I've never allowed staff or pupils to join the domain.

    Windows XP Home cannot join a domain but only a workgroup, so there's no problem here. If you right click - My Computer > Properties > Computer Name (tab) you can compare the differences between Home and Pro.
    You can still map network drives and access shares on a domain from XP Home, but you'd typically need to authenticate everytime; DOMAINNAME\USERNAME

  10. #23
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by Michael View Post
    This has been a 'feature' since Server 2003, so ironically I think 2000 Server (in this situation) is actually more secure by default. I agree the default value should be zero as I've never allowed staff or pupils to join the domain.

    Windows XP Home cannot join a domain but only a workgroup, so there's no problem here. If you right click - My Computer > Properties > Computer Name (tab) you can compare the differences between Home and Pro.
    You can still map network drives and access shares on a domain from XP Home, but you'd typically need to authenticate everytime; DOMAINNAME\USERNAME

    It was an original Active Directory design decision and was present in Windows 2000

    Windows 2000 grants the "Add workstations to domain" privilege to the Authenticated Users group by default. When this privilege is enabled, authenticated users can bypass the access control list (ACL) check for up to a predefined maximum value. To prevent misuse, the maximum number of machine accounts any authenticated user can join is 10 by default.
    Domain Users Cannot Join Workstation or Server to a Domain

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Replies: 1
    Last Post: 17th January 2011, 02:36 PM
  2. Replies: 5
    Last Post: 10th February 2009, 05:33 PM
  3. Script to add computers to AD like RIS
    By box_l in forum Scripts
    Replies: 2
    Last Post: 4th June 2008, 08:34 PM
  4. how to re-add laptops to a cc3 domain
    By amyr in forum Network and Classroom Management
    Replies: 6
    Last Post: 7th May 2007, 04:50 PM
  5. Essential add-on for AD Users & Computers
    By ajbritton in forum Downloads
    Replies: 9
    Last Post: 10th August 2006, 02:08 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •