Prevent users from joining a domain

Hi, all.

In this article, you are going to learn how to prevent your users from joining your domain on their own,

We are going to block it, but before that, it’s important to know that by default, each user which is a member of the authenticated group can add a maximum of 10 computers to join with his permission.

Not many people know that.

I am pretty confident that after some of you read this article you will apply this policy on your environment.

We have to perform these steps through ADSI. Edit, we need to change specific attribute called ” ms-DS-MachineAccountQuota value”, the default value of this value is 10.

How can we change it?

Open Domain Controller with a user that member of domain admin
Open ADSI. edit
After they connect to default naming context

 

Prevent user to join domain

Expand “Default naming Context” and DC as well and then right click and properties:

AdsiEdit

Find “ms-DS-MachineAccountQuota” attribute  and double-click on it:

Prevent user to join domain

Change the value to 0:

Prevent user to join domain

 

And the last action you have to do is replicate now (Repadmin, Active Directory Sites and Services} or from  or just wait for next replication

Leave a Comment

Your email address will not be published.

In the news
Load More