Posted on

Who can join a workstation to the Active Directory domain?

By default all domain users have the ability to add a workstation to the domain.

Limits on the number

The limitation on this task is that any one user can add a maximum of 10 workstations to the domain.

Impact

When the user reaches the maximum number of computers joined to the domain, he receives this error message

Who added a workstation to active directory?

To find out who added a workstation to the active directory, simply run this ppowershell script created based on this article:

Using PowerShell to Discover Who Added a Client to Your Domain

Clear-Host

Write-Host "I'm writing ms-DS-MachineAccountQuota"

# List the current value of ms-DS-MachineAccountQuota
Get-ADDomain |
Select-Object -ExpandProperty DistinguishedName |
Get-ADObject -Properties 'ms-DS-MachineAccountQuota' |
Select-Object -ExpandProperty ms-DS-MachineAccountQuota





Write-Host "Number clients in this environment"
Get-ADComputer -Filter * | Measure-Object | Select-Object -ExpandProperty Count
Write-Host "Number users in this environment"
Get-ADUser -Filter * | Measure-Object | Select-Object -ExpandProperty Count


Write-Host ""
Write-Host "Who did this?"
$Clients = Get-ADComputer -Properties ms-ds-CreatorSid, WhenCreated -Filter {ms-ds-creatorsid -ne "$Null"}
$Users = Get-ADUser -Filter *

ForEach ($C in $Clients)
{
ForEach ($U in $Users)
{
If ($U.Sid -eq $C.'ms-ds-creatorsid')
{
$C | Select-Object -Property @{
Name = 'ComputerName'; Expression = {$C.Name}},
@{Name = 'WhenCreated'; Expression = {$C.WhenCreated.DateTime}},
@{Name = "UserName"; Expression = {$U.Name}
}
}
}
}

Change the limit on the number of workstations

It is possible to modify this number by increasing it or bringing it to 0. If it is set to 0, users will have to have particular permissions to be able to add a computer to the domain.

To do this, from the domain controller, launch the adsiedit.msc command.

On the left, position yourself on the main node that begins with “DC=…”. Right-click -> Properties. The key with the number to change is MS-DS-MachineAccountQuota.

 

Restrict adding a workstation to the domain to a group

It is possible to limit the ability to add workstations to the domain to a group of users by acting directly on the GPOs

Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment

Look for the “Add workstations to the domain” entry and change it to specify only the users and groups that can perform the add operation.

Posted on

Active Directory: change server roles

In a multiserver Windows Active Directory Server environment, it may be necessary to move roles from one server to another.

Which server has Active Directory roles?

To find out which server has the Active directory roles type the command:

NETDOM QUERY FSMO

Transfer roles with command line.

Open a Dos prompt and type:

ntdsutil

then

roles

then

connections

then

Connect to server ServerFQDN

Where server is the server you want to pass roles to

Then

quit

Depending on the roles you want to switch, type the following commands:

Ruolo Credenziali Comando
Master for domain naming Enterprise Administrators Seize naming master
Master schema Schema Administrators Seize schema master 
Iìnfrastructur master  Domain Admins Seize infrastructure master 
Master PDC emulator Domain Admins Seize pdc
master RID Domain Admins Seize rid master