Restrict rights to add Windows clients to the domain

Microsoft has generally regulated that every Windows domain user can add Windows clients to a Windows Active Directory domain . Although this number is limited to a maximum of 10 clients , it creates a problem for many administrators. However, this is possible to limit this accordingly and only allow certain users or groups in the network.

To do this, you have to call up the Group Policy Editor from the domain management tools and switch to the following key

Computer Configuration / Windows Settings / Security Settings / User Rights Assignment  

There is then the following group policy that you have to configure.

Add workstations to the domain

Below you can see the original image of the GPO you are looking for.

Add workstations to the domain

It is important that you activate the checkmark at ” Define these policy settings “. You can then use ” Add users or groups ” to define which AD group or AD user should have the rights to include clients in the network domain. Of course, this then has to be distributed to the correct organizational unit (OU) .

Microsoft explains this group policy as follows:

Add workstations to the domain

This security setting determines which groups or users can add workstations to a domain .

This security setting is only valid for domain controllers . By default, every authenticated user has this right and can create up to 10 computer accounts in the domain.

By adding a computer account to the domain , the computer can participate in Active Directory networking. For example, when a workstation is added to a domain, that workstation can recognize accounts and groups that exist in Active Directory.

Default value: ” Authenticated users ” for domain controllers.

Note: Users who are authorized to create computer objects for the Active Directory container ” Computer ” can also create computer accounts in the domain. The difference is that users who have permissions to the container do not have the restriction to create a maximum of 10 user accounts. In addition, computer accounts created by adding workstations to the domain are owned by domain administrators , while computer accounts created by using the permissions on the Computer container are owned by the computer account creator. If a user has permissions to the container and also has the Add Workstations to Domain user right , the computer is added based on the permissions on the Computer container, not the user right.

You can find more interesting information about group policies in the following articles.

– Server Manager does not start automatically after Windows login
– Set Windows power options for screen and standby mode via GPO
– IE proxy server settings are correctly distributed via GPO
– Automatically delete inactive user profiles after a certain number of days
– Only allow local user profiles
– Administrative ADMX templates for Windows 10 Fall Creators Update 1709 – Download
– Always wait for the network when restarting the computer and logging in
– Deactivate animation the first time Windows 10 logs in