Domain Join Rights
By default, Active Directory allows each user account to join up to ten devices to the domain. While this may have been acceptable in the ’90s, in today’s age of security - where Zero Trust is the norm - this isn’t optimal.
In this article, we’re going to create and apply a GPO that defines which user accounts are allowed to join devices to the domain. This GPO will be applied to the domain controllers (DCs), as it’s the DCs themselves that control this behavior.
Methodology
The setting we’re modifying is actually located within the Default Domain Controllers GPO. The easiest solution would be to update this GPO directly, but since it’s preferable not to modify any default GPOs, we’ll instead create a separate GPO that overrides it. This approach allows for quick recovery if the changes cause any issues—we can simply unlink our newly applied GPO, and the default GPO will take over again.
Create the GPO
Create a new GPO, configuring the following settings:
- Browse to
Computer >> Policies >> Windows Settings >> Security Settings >> Local Policies >> User Right Assignment. - Configure policy
Add workstations to domain. - Add the security group(s) who will have the ability to join computers to the domain.
Applying the GPO
There are two methods of linking the GPO to override the Default Domain Controllers GPO:
- Mark the GPO as Enforced so the policy always gets precedence.
- Change the precedence order on the OU, placing our GPO last to be applied.
Choose your method.
To apply and enforce the GPO, perform the following:
- Link the GPO against the Domain Controller OU.
- Right-click on the GPO we created within the Domain Controller OU and select Enforce.
To apply and update the precedence order, perform the following:
- Link the GPO against the Domain Controller OU.
- Click on the Domain Controller OU, to see the precedence order within the main window.
- Select the GPO we created and move it into first position.