Domain Join Rights
By default, Active Directory allows each user account to join ten devices to the domain. While acceptable in the 90s, in todays age of security where Zero Trust is the norm, this isn’t optimal.
In this article we’re going to create and apply a GPO which outlines the user accounts who are able to join devices to the domain. This GPO will be applied against the DCs of the domain, as its the DCs themselves which control this behavior.
Methodology
The setting we’re changing is actually held within the Default Domain Controller GPO already applied against the DCs. The easiest solution would be to update this GPO, but as I prefer not to tweaking any default GPOs, we’ll create a separate GPO which overrules the Default Domain Controller GPO. This allows for quick recovery if any troubles occur, as we can simply unlink our newly applied GPO.
Create the GPO
Create a new GPO, configuring the following settings:
- Browse to
Computer >> Policies >> Windows Settings >> Security Settings >> Local Policies >> User Right Assignment. - Configure policy
Add workstations to domain. - Add the security group(s) who will have the ability to join computers to the domain.
Applying the GPO
There are two methods of linking the GPO to overrule the Default Domain Controller GPO:
- Mark the GPO as Enforced so the policy always get precedence.
- Change the precedence order on the OU, placing our GPO last to be applied.
Choose your method.
To apply and enforce the GPO, perform the following:
- Link the GPO against the Domain Controller OU.
- Right-click on the GPO we created within the Domain Controller OU and select Enforce.
To apply and update the precedence order, perform the following:
- Link the GPO against the Domain Controller OU.
- Click on the Domain Controller OU, to see the precedence order within the main window.
- Select the GPO we created and move it into first position.