CentOS magic to Active Directory login?

[Grant M]

Edward Ned Harvey wrote:
> I was very surprised to learn this a year or two ago.  You don't need to be
> a domain administrator to join a machine onto the domain.  I was very
> surprised when one of my unprivileged users joined his laptop to my domain,
> and I was unable to repeat that using my own unprivileged account.  I
> investigated this *extremely* thoroughly, because I thought it represented
> some sort of security breach (like he somehow got the admin pass) but that
> was not the case.  In the end, it was proven, without anybody getting in
> trouble, that unprivileged users can sometimes join computers to domains.
> There are some restrictions, but all the websites had conflicting
> information about what the restrictions are, so I am somewhat unclear in
> that area.

>From what I've seen on this, it's the permissions on where the Computer
object is created in Active Directory. I believe by default the
permissions on the default "Computers" container is to allow
creation/deletion of computer objects for any authenticated users. If
you restrict that privilege to only admin users, they won't be able to
bind to the domain.

Grant M.
-- 
Grant Mongardi
Senior Systems Engineer
NAPC

gmongardi-cGmSLFmkI3Y at public.gmane.org
http://www.napc.com/
blog.napc.com
781.894.3114 phone
781.894.3997 fax

NAPC | technology matters