Default Computer OU permissions

I've been struggling with this for awhile so I'll ask for help.

Currently, the Computer OU is the default container where new computer
accounts are added. The problem is, I end up with all sorts of accounts
there and they are never moved to the right OU.

I would like to require that the computer account be created first, or at
least restrict access to the default Computers OU so new accounts can not be
created by non-domain admins.

I don't see anything security settings in the ACL that should allow accounts
to be created by non-admins but it still seems to be happening. The only
account that I think might be allowing this to happen is the System Account
which has Full Control but I"m leary to change the settings on that.

My goal is that if a new computer is added to the domain by a non-admin,
they would be restricted from adding the account and would have to contact
their administrator to manually make the account ahead of time.

Any help would be appreciated.

Thanks.

Hello Glen,

By default each domain user is able to add up to 10 computers to the domain,
check all your policies, start with Default domain controllers GPO.

Under Computer configuration, windows settings, security settings, local
policies, user rights assignment, in the right pane check "Add workstations
to the domain". By default authenticated users are listed there.

See also:
http://support.microsoft.com/kb/243327/en-us

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I've been struggling with this for awhile so I'll ask for help.
>
> Currently, the Computer OU is the default container where new computer
> accounts are added. The problem is, I end up with all sorts of
> accounts there and they are never moved to the right OU.
>
> I would like to require that the computer account be created first, or
> at least restrict access to the default Computers OU so new accounts
> can not be created by non-domain admins.
>
> I don't see anything security settings in the ACL that should allow
> accounts to be created by non-admins but it still seems to be
> happening. The only account that I think might be allowing this to
> happen is the System Account which has Full Control but I"m leary to
> change the settings on that.
>
> My goal is that if a new computer is added to the domain by a
> non-admin, they would be restricted from adding the account and would
> have to contact their administrator to manually make the account ahead
> of time.
>
> Any help would be appreciated.
>
> Thanks.
>

Howdie!

Glen schrieb:
> Currently, the Computer OU is the default container where new computer
> accounts are added. The problem is, I end up with all sorts of accounts
> there and they are never moved to the right OU.
>
> I would like to require that the computer account be created first, or at
> least restrict access to the default Computers OU so new accounts can not be
> created by non-domain admins.
>
> I don't see anything security settings in the ACL that should allow accounts
> to be created by non-admins but it still seems to be happening. The only
> account that I think might be allowing this to happen is the System Account
> which has Full Control but I"m leary to change the settings on that.

Yeah - what you noticed is correct. Users are allowed to join up to 10
machines to the domain (by default). They don't need to have admin privs
to do that. Meinolf already provided you with a link on how you can
disable that - or change the default number of machines they can add.
When setting the number to 0, I would also make sure a certain group of
people (let them be the Helpdesk, any 2nd level support folks..) have
the ability to create machine accounts other than you. You certainly
don't want to run and rush to join machines to the domain..

Another aproach that I've seen pretty often is using redircmp (and
redirusr). That let's you specify another default location - possibly an
OU, other than the "Computers" container that is built-in. Like that,
you could create a standard Group Policy newly joined machines apply.
I've seen folks link Software Installation policies or prep-scripts to
such an OU.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.