Restricting the Ability of Users to Create Computers
When a computer account is prestaged, the permissions on the account determine who is
allowed to join that computer to the domain. When an account is not prestaged, Windows
will, by default, allow any authenticated user to create a computer object in the default computer
container. In fact, Windows will allow any authenticated user to create up to ten computer
objects in the default computer container. The creator of a computer object, by default,
has permission to join that computer to the domain. It is through this mechanism that any
authenticated user can join ten computers to the domain without any explicit permissions to
do so.
The ten-computer quota is configured by the ms-DS-MachineAccountQuota attribute of the
domain. It allows any authenticated user to join a computer to the domain, no questions
asked. This is problematic from a security perspective because computers are security principals,
and the creator of a security principal has permission to manage that computer’s properties.
In a way, the quota is like allowing any domain user to create ten user accounts, without
any controls.
It is highly recommended that you close this loophole so that nonadministrative users cannot
join computers to the domain. To change the ms-DS-MachineAccountQuota attribute, follow
these steps:
1. Open ADSI Edit from the Administrative Tools folder.
2. Right-click ADSI Edit and choose Connect To.
3. In the Connection Point section, choose Select A Well Known Naming Context and,
from the drop-down list, choose Default Naming Context.
4. Click OK.
5. Expand Default Naming Context.
6. Right-click the dc=contoso,dc=com domain folder, for example, and choose Properties.
7. Select ms-DS-MachineAccountQuota and click Edit.
8. Type 0.
9. Click OK.
The Authenticated Users group also is assigned the user right to add workstations to the
domain, but you do not have to modify this right if you have changed the default value of the
ms-DS-MachineAccountQuota attribute.
After you have changed the ms-DS-MachineAccountQuota attribute to zero, you can be assured
that the only users who can join computers to the domain are those who have been specifically
delegated permission to join prestaged computer objects or to create new computer objects.
_________________________________________________
Quick Check
■ What two things determine whether you can join a computer account to the
domain?
Quick Check Answer
■ To join a computer to a prestaged account, you must be given permission on the
account to join it to the domain. If the account is not prestaged, the ms-DSMachineAccountQuota
attribute will determine the number of computers you can
join to the domain in the default computer container without explicit permission.
_________________________________________________
After you’ve eliminated this loophole, you must make sure you have given appropriate administrators
explicit permission to create computer objects in the correct OUs,
رد مع اقتباس
المفضلات