How to Prevent Standard Users from Joining Computers to an Active Directory Domain
Vložit
- čas přidán 26. 08. 2024
- Learn how to block standard users from joining workstations or servers to an active directory domain. In this example, I show you how to create a security group, delegate permissions to that group so that they can create computer objects within an active directory, update the default domain controller group policy to only allow domain admins and the newly created security group to add devices to the domain, and reduce the number of devices a user account can add to the domain from 10 to 0 using ADSI edit.
Hi, I’m Danny, a London based IT consultant and blogger. You can view all my blog posts at: www.dannymoran... - Věda a technologie
Sometimes it's the smallest/quickest of config changes (like this one) that get overlooked.. This one change will harden your active directory and reduces the attack surface. Well done! 👏
Fully agree! Thanks for watching!
So glad I found your channel. I love the way you deliver content. So useful!!! Great work!
Thanks for watching!
Well I never, thought a standard user can join a PC to a domain (Thought only domain admins can). Many thanks for this great well explained video.
Thanks for watching!
i thought the same too until one of my collages told me that he is joining to domain using a users credentials just yesterday.. and next thing, i was here editing our local default policy!
Great as always, keep it up, Danny
Thanks for watching!
I was just searching for this last night because I found a couple computers that were azure ad joined instead of hybrid joined. While this won't help with Azure I do want to implement this in our on prem. Thanks for this video. Any chance you can create a video to do the same thing in Azure? I'm assuming it's pretty easy but never hurts to have a video. Thanks for this video.
I will need to take a look and see if it's possible to do with Azure joined devices. A big selling point is users being able to add the device themselves and then it automatically pulls all the policies/config/software from 'the cloud' and then the device auto configures itself.
Thanks for watching!
You can do this in Azure AD (Entra) under Devices-->Device Settings--> Click on "Selected" option to select the group to manage enrollment. If you select ALL instead of specifyin a group, then everyone can Join/Register devices in Azure.
Thanks for providing this information!
Hi Danny, do you have any videos on setting up/configuring/best practices for Hyper-V server cluster for failover purposes?
I haven't got any guides on hyper-v clustering or failover at the moment, unfortunately. I will add it to my list.
Thanks for watching!
Hi Danny, how are you doing? I wanted to ask you what the ideal option is when creating GPO Policies. Should we create one policy and add all the settings into it, or should we make individual policies for the different settings? Please consider that the company size is medium, with an average of 200 employees. Thanks.
Personally, I create smaller policies and have more of them rather than having fewer large policies. I find this makes their management easier.
I try to group them into logical groups such as mapped drives, printers, security settings, personalisation settings, etc...
Historically, I think having more group policy objects applied has caused slowdowns when logging on, however, hardware is much faster than it used to be. I have networks with hundreds of group policy objects created, and individual users or computers often have over 30 being applied and logon times are never more than a few seconds.
Thanks for watching!
What is server manager ?
Server Manager is one of the built-in tools used for managing Windows servers. It should start automatically when you login to a Windows server, or you can find it in the start menu.
Thanks for watching!
@@danny_moran Ok thx :)
Thanks for watching!