Re: security hole? any user can add a computer to the domain??

From: matd (mat_dewolfe@shi.com)
Date: 07/03/02 

From: mat_dewolfe@shi.com (matd)
Date: 3 Jul 2002 09:45:57 -0700

..according to Technet, only domain administrators have the right by
default to add new computers to the domain.
Normally, users can't add computers, they will get a denial because
they have insuffecient rights. But, when they name the workgroup the
same name as our domain, it somehow sidesteps security, and allows
them to join the domain.

Our domain is an NT domain..not 2000.

"Michael Howard [MS]" <mikehow@online.microsoft.com> wrote in message news:<O1miDEhICHA.1476@tkmsftngp11>...
> this is the default in win2000 domains - you should tweak the domain policy
> to tighten this up if you require.
>
> --
> Cheers, MH
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Writing Secure Code - http://www.microsoft.com/MSPress/books/5612.asp
>
> "mat" <MAT_DEWOLFE@SHI.COM> wrote in message
> news:1239101c2220b$45169e10$9ee62ecf@tkmsftngxa05...
> > We've been having a problem where any user can add their
> > computer to our domain without rights to do so.
> > this can be accomplished by first renaming the workgroup
> > to our domain name but keeping it a workgroup. then, they
> > reboot and when they change the name of their computer and
> > try to add it to the domain, they can without a problem.
> > This works everytime with every user. Can't seem to find a
> > fix for it..anyone have any ideas?
> >
> > thanks in advance.

Relevant Pages

  • Re: Workgroup Question
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... I want to leave the server and computers in a workgroup, ... If I create a unique workgroup on the server, ...
    (microsoft.public.windows.server.general)
  • Re: Where are our computers?
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... DC2 "magically" appear...by adjusting the filter. ... Why wouldn't the computers be replicated to DC2, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Sharing folder problem on network
    ... >>> network rights), ... > Let's diagnose the relationships between each computer. ... Open Notepad. ... > Do this from all computers, please, with all computers powered up and online. ...
    (microsoft.public.windowsxp.network_web)
  • Setting directory permissions
    ... For a login log file on the local machine to track some login problem I need ... I have a Domain test policy assigned to an OU with a few users and computers ... So on this machine the rights are as they are supposed to be and the policy ... Do I need to give the computers read rights to the policy or does the SYSTEM ...
    (microsoft.public.win2000.active_directory)
  • Re: Copying Files using startup script
    ... you could always create a dedicated account for this and ... have to put the credntials in clear text in the script. ... > copying down to the computers durring the startup script. ... > out what rights I need to assing on the share. ...
    (microsoft.public.win2000.group_policy)
Quantcast