Is it possible to limit who on an AD domain can join computers to the domain?

windows active-directory domain

Solution 1:

Go into your Domain Security Policy>Local Policy>User Rights Assignment and change the "Add workstations to domain" to just the groups you want.

enter image description here

Solution 2:

I believe what you're looking for is referenced in these two MSKB articles:

  • Default limit to number of workstations a user can join to the domain
  • Domain Users Cannot Join Workstation or Server to a Domain (where to look)

The first article gives the details on where to go in Adsiedit.msc to change the default value (Domain NC, pick the right item, Properties, view ms-DS-MachineAccountQuota, edit attribute to change the value).

I've also seen a mention that there's a Group Policy under Default Domain Controllers Policy\User Rights Assignment but I'm not at a good spot to go digging for it to verify.

Related

How to create IDE-based boot, SCSI-based system disks in Hyper-V Guest
HW RAID 1 different disk sizes?
Unattended installation with preseed -- give a custom device to partman-auto
Removing port forwardings programmatically on a ControlMaster SSH session
Using an IP Address to Point to Amazon S3 Storage
Incredibly high latency for Ubuntu guest on Hyper-V
After upgrade to wheezy apache fails to start
sftp connection closed after correct password
How safe is rsync --remove-source-files?
How do I enable IPv6 on Fedora 28 on Amazon EC2
ZFS Reporting (on FreeBSD and Linux via ZoL)
Windows Server software RAID volume constant "Failed Redundancy"