0

I work for a large company that has acquired multiple additional sites over the last 5 years. We're fully integrated these sites into our corporate site. The problem I'm running into now is, most of the sites have a local admin, and these admins don't always play nice with us.

So what's happening is, sometimes we have new servers added and old servers decommissioned at these sites without involving the server team. I'm looking for a way to restrict the join domain privilege based on operating system type. So I want to restrict all server domain join functions to the server team only. The site people still need to be able to add workstations to the domain.

Brum
  • 53
  • 6
  • 2
    No OS information is sent as part of the join process. It checks name, SPN, and then domain join permissions of account holder. You could restrict them to only joining computers into a specific OU (block move perms from them) and that way you can review new adds. – spacenomyous Sep 12 '18 at 15:20

1 Answers1

3

If you don't want these people to join servers to the domain, you probably don't want them to be domain admins.

You can give them restricted permission accounts that just have the delegated rights to join machines to the domain within a enclosed OU structure and run reports on actions taken there to 'intercept' unauthorised joins, but this really isn't a technical issue; your problem is you have people with domain admin rights who you don't trust to administer the domain, and the best answer will always be to take admin rights away from people who can't be trusted with them.

Rob Moir
  • 31,884
  • 6
  • 58
  • 89
  • Thanks for the answer, that's what I figured but wanted to check. – Brum Sep 12 '18 at 15:47
  • 3
    As an aside, by default Authenticated Users can join 10 machines to the domain, whether they be workstations or servers... so you may want to review that and change appropriately if needed. – joeqwerty Sep 12 '18 at 16:07
  • Yup, can modify that either way with a few methods, as per https://social.technet..com/wiki/contents/articles/5446.active-directory-how-to-prevent-authenticated-users-from-joining-workstations-to-a-domain.aspx – Rob Moir Sep 12 '18 at 16:09