Can 'Domain Users' join computers to the domain?

windows-server-2003 domain

Yes, they may join up to 10 computers by default.

You may either revoke this right, using Group Policy, or change the maximum number of allowed joins.


If this is a concern for you, it is quite possible to change the default location where new computer-objects are created. Set the GPO on that location to be very restrictive, such as disabling the local Administrator account, and by doing so users end up with a much more locked down workstation than they started with. Quite the disincentive.

The Microsoft view of this is that the user is opting into your security and domain policies by having the ability to join machines to the domain.


You can also monitor who has added machines to your domain and then break knuckles after the fact if they are misbehaving.

Depends what your internal policies are - we have a very small shop but Devs are prohibited (by word of God, not GPO) from adding machines to domain.

Related

Deleting everything except newest files
In TCP/IP terms, how does a download speed limiter in an office work?
Why won't tcpdump write a pcap file?
Can anyone monitor my ssh (scp) file transfers
Linux: how to send new lines in log files to remote syslog?
Bad idea to jump two versions in a server OS upgrade?
Retrieve internet proxy server address via PowerShell
Is it possible to synchronize contents of a directory only?
Reverse DNS Setup for an IP with multiple domains
Do not allow domain computers to communicate with each other
Tips for remote work?
Defragmenters useful for *nix?