SID-500

Home » Security » Securing Active Directory: Who can add computers to the domain? Only the domain admin?

Securing Active Directory: Who can add computers to the domain? Only the domain admin?

“Only Domain administrators can add computers to the domain.” I can’t count how often I have heared these words. But when installing a new domain, a counter is configured and this counter allows each domain user to add up to 10 computers to the domain. This is the default setting. The setting can be changed and must be considered in the IT security concept.

The ms-DS-MachineAccountQuota

The setting can be found in dsa.msc (enable advanced features!) Open dsa.msc (Active Directory Users and Computers). If not already enabled, enable Advanced Features. Next open the properties of your domain (right click), click on Attribute editor and navigate to the Attribut ms-DS-MachineAccountQuota. Are you surprised? Every user (Domain User) can add up to 10 Computers.

Unbenannt.PNG

1.PNG

Or run a simple One-Liner in PowerShell. Don’t care about the domain name. We call it from Get-ADDomain.

Get-ADObject ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

Unbenannt.PNG

Who added client01 to the domain?

Who has added client01 to the domain? Petra is a domain user and added client01 to the domain. We can see it by running a simple one-liner. Ok, I have to admit it’s a three liner. We examine the ms-DS-CreatorSID attribute of the computer account.

Get-ADComputer client01 -Properties mS-DS-CreatorSID | Select-Object -Expandproperty mS-DS-CreatorSID | Select-Object -ExpandProperty Value | Foreach-Object {Get-ADUser -Filter {SID -eq $_}}

Unbenannt.PNG

Changing the default value

A value of 0 means that domain users are are not allowed to add computer accounts.

Open the properties of the domain and double click ms-DS-MachineAccountQuota. Modify the value. The number represents the number of computers that you want users to be able to add to the domain. I recommend changing it to 0.

Unbenannt.PNG

Or use PowerShell. Again: Don’t worry about the domain name. It will be filled in automatically.

Set-ADDomain (Get-ADDomain).distinguishedname -Replace @{"ms-ds-MachineAccountQuota"="0"}

Unbenannt.PNG

The impact

The user is informed that the maximum number has been reached. The following error occured attempting to join the computer to the domain:

Unbenannt.JPG

See also

How to add computers to the domain see my article Active Directory: How to join a Computer to the Domain using GUI or PowerShell (Step-by-Step)


5 Comments

  1. […] Note: By default, every Domain User is allowed to join up to 10 computers to the domain. For changing this standard setting see my article Securing Active Directory: Who can add computers to the domain? Only the domain admin. Are you sure? […]

    Like

  2. […] Securing Active Directory: Who can add computers to the domain? Only the domain admin. Are you sure? […]

    Like

  3. […] Securing Active Directory: Who can add computers to the domain? Only the domain admin? […]

    Like

  4. Are you always so open (closed, aggressive, optimistic, fast)?

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

WHOIS

My name is Patrick Grünauer (pewa2303). I am from Austria. On sid-500 I write about Windows, Cisco and IT-Security in English and German. Have fun while reading!

Patrick Gruenauer
Follow SID-500 on WordPress.com