Re: joining a computer to a domain
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/08/04
- Next message: Navin Mishra: "CredUIPromptForCredentials:help!"
- Previous message: Steven L Umbach: "Re: joining a computer to a domain"
- In reply to: Miha Pihler: "Re: joining a computer to a domain"
- Next in thread: Miha Pihler: "Re: joining a computer to a domain"
- Reply: Miha Pihler: "Re: joining a computer to a domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 8 Oct 2004 14:34:50 -0500
Hi Mike.
Just to add that it could be a security breach if ipsec negotiation policies
are in effect to prevent non domain computers from communication with domain
computers that have a require ipsec policy. If a user could join an
unathorized computer th the domain then that computer may then end up being
able to engage in ipsec communications which could be a problem if the
unathorized computer was compromised. It could also be issued a computer
certificate if autoenroll is enabled at the domain level which could allow
an unathorized computer to have l2tp VPN access. --- Steve
"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:%23llD%235VrEHA.452@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> Here is some additional information to what others have already posted.
>
> By giving users domain account you express your trust in them. If users
> can
> add their computer to domain, this doesn't give them any more permissions
> then they have before, it just makes their work easier.
>
> In Windows 2003 (and I think there are some workarounds on Windows 2000)
> you
> can redirect where computer and user accounts are created when they are
> added to domain. E.g. instead of Computer container or User container
> these
> accounts are created in e.g. New Computers OU. Since now new objects are
> created in OU, you can immediately apply group policy to it (e.g. SUS GP,
> access to internet limitations, AV installation, etc, etc, etc, ...). So
> you
> can really lock down any PC that is added to domain...
>
> Mike
>
> "Sandra L Miller" <slm@cs.arizona.edu> wrote in message
> news:%23gzA0OVrEHA.3896@TK2MSFTNGP15.phx.gbl...
>> We have just discovered that students have the ability to add their
>> personal machines to the department domain. All they need is an
>> administrative account on their own machine and a valid account in
>> the domain. Student accounts in our domain are not administrative.
>> I had always been under the impression that a domain administrator
>> account was required to join the domain. Maybe this has changed
>> some time since we were running NT with NT servers (we now have XP
>> with 2003 servers).
>>
>> Anyway, my question is how can we prevent this? I couldn't find
>> anything in Group Policy. There must be a setting somewhere that
>> we can set to allow only domain administrators to join a computer
>> to the domain. Can anybody tell me how?
>>
>> Thank you,
>> Sandy
>>
>> --
>> Sandra L Miller
>> Windows System Administrator
>> Department of Computer Science
>> University of Arizona
>>
>> "The opinions or statements expressed herein are my own and should not be
>> taken as a position, opinion, or endorsement of the University of
> Arizona."
>
>
- Next message: Navin Mishra: "CredUIPromptForCredentials:help!"
- Previous message: Steven L Umbach: "Re: joining a computer to a domain"
- In reply to: Miha Pihler: "Re: joining a computer to a domain"
- Next in thread: Miha Pihler: "Re: joining a computer to a domain"
- Reply: Miha Pihler: "Re: joining a computer to a domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
