Active Directory: Secure Domain Join to Domain Admins

In this tutorial, we will address a security point on an Active Directory environment, which is the domain joining of computers.

What you need to know (some administrators don’t know this), all domain users can join a computer to a domain, they can even join up to 10 computers.

Domain administrators have no limit as well when a delegation is created.

As seen in the screenshot below, which shows the Group Policy settings: Default Domain Controller Policy, the Add workstations to domain setting is set to NT AUTHORITY\Authenticated Users.

You now know why, all users can join a computer to the domain, we will now see how to correct “this problem” in order to limit joining to the domain to users who are members of the Domain Admins group.

Policy change: Default Domain Controller Policy

1. On a domain controller, open the Group Policy Management console.

2. Go to the OU Domain Controllers 1 then right-click on the group policy object Default Domain Controller Policy 2 and click on Modify 3.

3. Go to location: Computer Configuration / Policies / Windows Settings / Security Settings / Local Policy / User Rights Assignment 1.

4. Open the Add workstations to domain 1 setting.

5. Click the Add User or Group 1 button.

6. Enter the name of the group 1, here Domain Admins and click on OK 2.

7. The group is added 1.

8. Select Authenticated Users 1 and click Remove 2.

9. Once the group has been deleted, save the parameters by clicking on the Apply button 1 and OK 2.

After Group Policy is applied on domain controllers, only members of the Domain Admins group will be able to join computers to the Active Directory domain.