Tag Archives: user permissions

How to prevent users from adding a machine from Active Directory - the domain

Interestingly enough, by default Microsoft's Active Directory ships out with the ability for all Authenticated Users to join their machine to a domain up to 10 times.  Why 10?  Who knows.  Personally, I do not want my users to be able to add machines to the domain, so the steps below can be achieved to prevent these actions.

  1. Logon to one of your domain controllers or a machine with ADSI Edit
  2. Open up ADSI Edit
    1. Start->Administrative Tools->ADSI Edit
  3. If you have logged into one of your DCs, you can leave the Name, Connection Point, and Computer to default, otherwise enter in the proper information to connect to your DC and click OK.
    1. Image of default settings to connect
    2. ADSEI Edit - Connection Settings
  4. Expand the context that was added and right click on DC=[domain],DC=[TLD] and click Properties.
    1. ADSI Edit - Properties
  5. Scroll down to ms-DS-MachineAccountQuota and click Edit
    1. ADSI - ms-DS-MachineAccount
  6. Change the Value of 10 to 0, click OK
    1. ADSI Edit - Integer Attribute Editor
  7. Click OK on the DC=[domain],DC=[TLD] dialog box

At this point, users inside of the Domain Admins or Enterprise Admins groups will only be able to add machines to the domain.