Resolution
Directory and Resource Administrator 7.x
symptom
Unauthorized users can create computer accounts and join computers to a domain.
symptom
The default Computers container in Active Directory contains computer accounts not created using DRA.
cause
By default, Active Directory enables ordinary domain users to join up to 10 computers to a domain. If no computer account exists for the computer being added, Active Directory creates an account in the default Computers container at the time the client computer joins the domain. This behavior is expected in Active Directory, and Directory and Resource Administrator (DRA) does not prevent it.
fix
To prevent ordinary users from being able to create computer accounts directly in Active Directory, see Method 3: Override the Default Limit of the Number of Computers an Authenticated User Can Join to a Domain in Microsoft knowledge base article 251335, Domain Users Cannot Join Workstation or Server to a Domain, at http://support.microsoft.com/?id=251335.
To prevent unauthorized users from creating computer accounts:
Perform the procedure described in Method 3: Override the Default Limit of the Number of Computers an Authenticated User Can Join to a Domain inMicrosoft knowledge base article 251335, specifying 0
(zero) for the value of the ms-DS-MachineAccountQuota attribute in Step 6.
note
By default, members of the Domain Admins, Enterprise Admins, and Account Operators groups can join an unlimited number of computers to a domain. If the group member does not create a computer account before joining the computer to the domain, Active Directory creates the account in the default Computers container.
Using native Active Directory tools, you can grant other users or groups the permission to add computers to Active Directory. DRA does not prevent you from doing this.