Active Directory rights delegation – part 1
In my previous article we discussed methods about Active Directory rights delegation This time you will see who to change and restrict users who can add workstations to the domain.
By default in Active Directory environment, each “Authenticated User” can add up to 10 workstations to the domain. After reaching a limit, user is unable to add new workstations anymore. However, 10 workstations is really a big number and it follows into security issue. Domain Administrators should take care about that and disallow for this activity for regular domain users.
Note! “Authenticated User” is each user who successfully has logged on into domain.
Note2! By default only “Domain Admins” are able to add unlimited number of workstations to the domain.
To change that behavior you need to modify one setting within “Default Domain Controller” policy. This setting is called “Add workstations to domain” and it is available under
“Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment“
and as you can see, its default configuration value is Authenticated Users
You should consider changing this setting to secure your environment. You can simply remove “Authenticated Users” group there and put “Domain Admins” only. But in Active Directory rights delegation concept, it is good to do that a little bit different way.
I would prefer creating domain local group which is assigned in a policy and then each other global group (privileged to that action) is nested within it. In Active Directory Users and Computers, create empty domain local security group named “dlg-join-computers-to-domain” and replace “Authenticated Users” group in “Default Domain Controller” policy by the new one.
Now, open Group Policy Management Console and edit “Default Domain Controller” policy
Navigate to node “Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment” and edit “Add workstation to domain” setting, by double click on it
Select available group in a windows and click on “Remove” button
Add there newly created domain local security group to allow adding workstations to the domain
Apply changes and you have disallowed “Authenticated Users” adding workstations in your domain
Now, you can see that in “Default Domain Controller” policy, the setting is changed
That would be enough except one small thing. The group is empty, there are no members 🙂 So, at least place there “Domain Admins” group to allow domain administrators adding workstations to domain
At this moment, you can consider one more thing. Due to rights delegation concept, you may wish to allow also other users add possibility of joining computers into domain. Now, it is really easy task. You need to only add another allowed group into domain local security group “dlg-join-computers-to-domain“. First of all, create in Active Directory Users and computers console new global security group called “gg-join-computers-to-domain” and make it a member of “dlg-join-computers-to-domain” local group.
You need to change one more thing in AD to finalize your concept. Domain local group needs a permissions to join computer objects within domain, because when you join new workstation, its account must be created. When configuration is not changed then this is “Computer” container.
To check details about delegating control, please read my previous article
The last step is granting this group appropriate right. Please follow below steps to achieve that
From now, you can simply control, users allowed for joining computers to domain. Add them directly into your global group called “gg-join-computers-to-domain” and that’s all.
Author: Krzysztof Pytko