+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 23
Windows Server 2000/2003 Thread, Users being able to add 10 computers to a domain in Technical; As i learnt on my Latest course, normal users ( in our case students ) have the ability to add ...
  1. #1
    Ben-BSH's Avatar
    Join Date
    Jun 2009
    Location
    UK
    Posts
    200
    Thank Post
    88
    Thanked 29 Times in 21 Posts
    Rep Power
    20

    Users being able to add 10 computers to a domain

    As i learnt on my Latest course, normal users ( in our case students ) have the ability to add 10 computer accounts to a Domain. i am the apprentice and do not want to fiddle too much, in case of breaking something and then being hunted through the building before experiencing a horrible painful death.

    SO. i come to ask if anyone knows a simple solution to this security hole? Thanks.

  2. 2 Thanks to Ben-BSH:

    Jamman960 (4th November 2009), mortstar (5th November 2009)

  3. #2
    SC-UK's Avatar
    Join Date
    Feb 2009
    Location
    London
    Posts
    569
    Thank Post
    36
    Thanked 85 Times in 71 Posts
    Rep Power
    29
    Although this is technically true, if your network is fairly secure anyway - there should be no option that they can access to join a domain anyway. They shouldn't be allowed to get into the rename computer dialogue or anything like that.

    The only place this may be an issue is students bringing in laptops from home and joining them to the domain but there are a number of different solutions to this.

    Tom

  4. Thanks to SC-UK from:

    Ben-BSH (4th November 2009)

  5. #3
    Jamman960's Avatar
    Join Date
    Sep 2007
    Location
    London/Kent
    Posts
    959
    Thank Post
    173
    Thanked 191 Times in 153 Posts
    Rep Power
    45
    This can be configured via group policy, haven't got time to check right now but surely this isn't the default anyway?

    Creating a Computer Account Management Plan: Logon and Authentication should shed more light on the issue.

    James

  6. 3 Thanks to Jamman960:

    Ben-BSH (4th November 2009), mortstar (5th November 2009), plexer (4th November 2009)

  7. #4

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    12,964
    Thank Post
    586
    Thanked 1,494 Times in 1,340 Posts
    Rep Power
    397
    Specifically this bit:

    Allow authenticated users to create new computer accounts. This approach might be desirable in organizations where users can be largely trusted. However, if you only want to trust a limited group of users, such as developers, for example, to create new computer accounts, you can control this by using the Security Configuration Manager to either assign or deny this right to users. By default, authenticated users are assigned the Add workstations to domain user right on the Group Policy object on domain controllers. This enables them to create up to 10 computer accounts in the domain by using the Network Identification Wizard. The wizard requests information about the computer name, the domain or workgroup that the computer is joining, and the domain users that are to be added to the local groups for local computer access, and uses this information and the credentials of the authenticated user to create a new account in Active Directory.
    Ben

  8. 2 Thanks to plexer:

    Ben-BSH (4th November 2009), dhicks (4th November 2009)

  9. #5
    Jamman960's Avatar
    Join Date
    Sep 2007
    Location
    London/Kent
    Posts
    959
    Thank Post
    173
    Thanked 191 Times in 153 Posts
    Rep Power
    45
    Hmm I've just checked our domain security pol(Administrative tools> Domain Security Policy > Local Policys > User Rights Assignment) and the default is indeed to allow users to create 10 computer accounts. This can be secured by configuring the policy option with users/groups that are to be permitted to create computer accounts.

    It may also need changing within the Default Domain Controller Security Policy.

    Think I'll have to take a closer look at the pols... I really wasn't expecting anything like that to be the default option argh

    James
    Last edited by Jamman960; 4th November 2009 at 10:34 AM.

  10. Thanks to Jamman960 from:

    Ben-BSH (4th November 2009)

  11. #6

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,493
    Thank Post
    1,184
    Thanked 745 Times in 647 Posts
    Rep Power
    228
    Quote Originally Posted by plexer View Post
    By default, authenticated users are assigned the Add workstations to domain user right on the Group Policy object on domain controllers.
    Wait, what? You mean that, by default, standard network users can add machines to a domain?

    --
    David Hicks

  12. #7
    SC-UK's Avatar
    Join Date
    Feb 2009
    Location
    London
    Posts
    569
    Thank Post
    36
    Thanked 85 Times in 71 Posts
    Rep Power
    29
    Quote Originally Posted by dhicks View Post
    Wait, what? You mean that, by default, standard network users can add machines to a domain?

    --
    David Hicks
    Yup!

  13. #8

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,493
    Thank Post
    1,184
    Thanked 745 Times in 647 Posts
    Rep Power
    228
    Quote Originally Posted by SC-UK View Post
    Yup!
    !???!! #@**@#!!!

    --
    David Hicks

  14. #9
    SC-UK's Avatar
    Join Date
    Feb 2009
    Location
    London
    Posts
    569
    Thank Post
    36
    Thanked 85 Times in 71 Posts
    Rep Power
    29
    Couldn't have put it better myself!

  15. #10

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,539
    Thank Post
    830
    Thanked 609 Times in 412 Posts
    Rep Power
    432
    Prevent users from adding computer to domain in Server 2003 - Active Directory

    This seems to suggest a few options - should work on Server 2008 as well as 2003...

  16. #11

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    12,964
    Thank Post
    586
    Thanked 1,494 Times in 1,340 Posts
    Rep Power
    397
    Indeed by default any user can add 10 machines.

    Ben

  17. #12

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    143
    I thought this was a well known security issue in Server 2003, I've always known about it, and restrict my network by specifying the groups that are allowed to add machines to the domain in the default domain controllers policy.

  18. #13

    Join Date
    Jun 2008
    Posts
    701
    Thank Post
    118
    Thanked 58 Times in 48 Posts
    Rep Power
    25
    I've now since disabled all users apart from Administrators from adding computers to the domain.

  19. #14
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,185
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by dhicks View Post
    Wait, what? You mean that, by default, standard network users can add machines to a domain?

    --
    David Hicks

    Yep I remember reading an interview with an MS employee who worked on the AD design team. They just decided on a number out of the blue, he had a reason for it that I can't remember now but I remember laughing at it.
    Surely it would be 0 by default with an option to enable it. BUT it's not a security flaw it was a 'thought' out design decision.

  20. #15

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    143
    Quote Originally Posted by cookie_monster View Post
    BUT it's not a security flaw it was a 'thought' out design decision.
    OK, it's a design flaw then. Which ever way you look at it, it's a little bit daft.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 1
    Last Post: 17th January 2011, 02:36 PM
  2. Replies: 5
    Last Post: 10th February 2009, 05:33 PM
  3. Script to add computers to AD like RIS
    By box_l in forum Scripts
    Replies: 2
    Last Post: 4th June 2008, 08:34 PM
  4. how to re-add laptops to a cc3 domain
    By amyr in forum Network and Classroom Management
    Replies: 6
    Last Post: 7th May 2007, 04:50 PM
  5. Essential add-on for AD Users & Computers
    By ajbritton in forum Downloads
    Replies: 9
    Last Post: 10th August 2006, 02:08 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •