Yep... just changing group policy worked for me.

Hi All, Somehow end-users are able to create Computer Accounts in my domain. They didn't used to be able to do that so somethings changed. I found a Security setting on one of the OUs for Domain Users that had Create all child objects and Delete all child objects Granted. I've modified this to Read instead, and I'm testing with a user whos only membership is in Domain Users. Yet that account can still be used to add a PC to the domain, from the client PC itself. I've checked the Effective permissions for that account (in the OU where Computers get put, and its parent OUs) and they seem to suggest Read-only attributes, nothing for Write. So I can't understand where its getting the permission from to create the account. I've seen some references about 2008 having GPO's that can add a right to do this, but I've not created this. Any ideas ?

By default users can join up to ten computers to the domain. http://support.microsoft.com/kb/243327 http://msdn.microsoft.com/en-us/library/ms813615.aspx Richard Mueller - MVP Directory Services

As Richard said by default user can join max 10 for the domain.but if he doesn't have delegated permission for join computers to domain(Because by default all the computer objects are created in computers ou),all the computer account should be created by another user those who can create objects in active directory anyway you can limit that 10 computers quota The number of workstations currently owned by a user is calculated by looking at the ms-DS-CreatorSID attribute of machine accounts. To modify Active Directory to allow more (or fewer) machine accounts on the domain, use the Adsiedit tool. WARNING Using Adsiedit incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Adsiedit can be solved. Use Adsiedit at your own risk. Install the Windows Support tools if they have not already been installed. This is necessary only for Windows 2000 and Windows Server 2003. For Windows Server 2008 and Windows Server 2008 R2, Adsiedit is installed automatically when you install the Active Directory Domain Services role. Run Adsiedit.msc as an administrator of the domain. Expand the Domain NC node. This node contains an object that begins with "DC=" and reflects the correct domain name. Right-click this object, and then click Properties. In the Select which properties to view box, click Both. In the Select a property to view box, click ms-DS-MachineAccountQuota. In the Edit Attribute box, type the number of workstations that you want users to be able to maintain concurrently. Click Set, and then click OK. http://support.microsoft.com/kb/243327#appliestoDarshana Jayathilake

Hi, Just so I'm clear on this - you're saying that by default - *ANY* user can join a PC to the domain (up to 10 times) ? Seriously !?! I'm now 99% sure though that when we first setup the SBS server, where the domain originated from, that the reason I had to run my account as a Domain Admin, was that I couldn't add computers to the domain. Ok, assuming this is the case then - if I want to remove that ability, so that only Domain ADmins can add/remove machines, do I just change ms-DS-MachineAccountQuota to zero ? What are the side effects of doing that ? I did move the default OU to: domain.local\MyBusiness\Corporate\Build Now Effective Permissions on that OU for my test account seem to suggest that a user couldn't create an object there. So, as Darshana says, my test account shouldn't then be able to create an account, but yet it still can, and it still gets put into the Build Now OU.

I guess what is confusing me, is the terminonology of 'maintaining' a computer. For example, I have users who logon to more than one PC, but all those PCs are already domain members. So does this setting affect that ?? I've found the setting and it is set at 10, but before I change it I would like to confirm that this will only mean that a normal Domain User won't be able to add a computer to the domain. Will they still be able to remove a computer from the domain ? (another issue I'm trying to stop).

Nope, this setting doesn't affect user's ability to log on. It only denies to add workstations to the domain. However, I would suggest to do that using less drastic method that ADSI modification. I would modify "Default Domain Controller Policy" Computer Configuration->Windows Settings->Security Settings->Local Policies->User Rights Assignment-> There is policy named "Add workstations to domain" and remove from there "Authenticated Users"Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com

Hi, Thanks I'll try that one too. I did try modifying ms-DS-MachineAccountQuota but after 20 mins it made no difference. I'll try the group policy now too.