 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Edward Ned Harvey wrote: > I was very surprised to learn this a year or two ago. You don't need to be > a domain administrator to join a machine onto the domain. I was very > surprised when one of my unprivileged users joined his laptop to my domain, > and I was unable to repeat that using my own unprivileged account. I > investigated this *extremely* thoroughly, because I thought it represented > some sort of security breach (like he somehow got the admin pass) but that > was not the case. In the end, it was proven, without anybody getting in > trouble, that unprivileged users can sometimes join computers to domains. > There are some restrictions, but all the websites had conflicting > information about what the restrictions are, so I am somewhat unclear in > that area. >From what I've seen on this, it's the permissions on where the Computer object is created in Active Directory. I believe by default the permissions on the default "Computers" container is to allow creation/deletion of computer objects for any authenticated users. If you restrict that privilege to only admin users, they won't be able to bind to the domain. Grant M. -- Grant Mongardi Senior Systems Engineer NAPC gmongardi-cGmSLFmkI3Y at public.gmane.org http://www.napc.com/ blog.napc.com 781.894.3114 phone 781.894.3997 fax NAPC | technology matters
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
