 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
> From what I've seen on this, it's the permissions on where the > Computer > object is created in Active Directory. I believe by default the > permissions on the default "Computers" container is to allow > creation/deletion of computer objects for any authenticated users. If > you restrict that privilege to only admin users, they won't be able to > bind to the domain. That sounds reasonable, but it doesn't agree with my experience. About 1-2 years ago, a new dell system arrived at work, for a user, while I was out of office. He unpacked it, and joined the domain without any help from IT. I was surprised because I thought that couldn't happen. So I reformatted another system, and tried to join the domain using my own credentials, and all the lab credentials that the user would have valid access to use, and I double checked that my user account is part of all the same groups as he is. I got permission denied on all accounts. As I googled all around, and read MS TechNet and so on ... some things out there say an unprivileged user is able to join up to 10 computers onto the domain. Again, this disagrees with my experience, since I was denied. Other articles say that 10 computers can be joined onto the domain, and *all* unprivileged users count toward that total. Again, this disagrees with my experience. And then there are some articles that get into really gory detail of exactly how that's all managed. This was too deep for me to pursue it any further. Here's where I decided to draw the finish line: Every computer object, if you use your AD Explorer from sysinternals, or any other LDAP browser, has a property that says who it was created by. I looked in, saw that his computer account was really created by him, so he didn't somehow hack the administrator pass or anything like that. I concluded that sometimes, under circumstances that I don't quite understand, it is possible for unprivileged users to join a computer to the domain. No breach of security has occurred, everything is fine. I never found any complete explanation, but felt this was good enough for me. I don't need to drag him down to have a meeting with our managers and HR. Thank goodness. ;-)
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
