Interestingly enough, by default Microsoft’s Active Directory ships out with the ability for all Authenticated Users to join their machine to a domain up to 10 times. Why 10? Who knows. Personally, I do not want my users to be able to add machines to the domain, so the steps below can be achieved to prevent these actions.
- Logon to one of your domain controllers or a machine with ADSI Edit
- Open up ADSI Edit
- Start->Administrative Tools->ADSI Edit
- If you have logged into one of your DCs, you can leave the Name, Connection Point, and Computer to default, otherwise enter in the proper information to connect to your DC and click OK.
- Expand the context that was added and right click on DC=[domain],DC=[TLD] and click Properties.
- Scroll down to ms-DS-MachineAccountQuota and click Edit
- Change the Value of 10 to 0, click OK
- Click OK on the DC=[domain],DC=[TLD] dialog box
At this point, users inside of the Domain Admins or Enterprise Admins groups will only be able to add machines to the domain.