How to determine which user added a
computer to the domain
In Windows NT, only
Domain Admins group had the right to add computer accounts to the domain. So,
when were prompted to enter a user information while the domain join operation,
you had to give an admin’s name and password.
Starting with Windows
2000, ordinary users have the right to add computers to the domain. This right
is determined under “Default Domain Controllers Policy”’s Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User
Rights Assignment section. The right is “Add workstations to domain”. By
default, “Authenticated Users”, meaning any user who is authenticated, is
assigned to that right.
Ordinary users can add
computers to domain but they have an Active Directory Quota, saying that
ordinary users can add maximum 10 computers to the domain. This quota can be
seen and changed using Adsiedit.msc console. Quota is
determined by the ms-DS-MachineAccountQuota attribute on the domain object.
You can prevent
ordinary users from adding computers to the domain by changing either one; you
can remove Authenticated Users from the “Add workstations to the domain” right
(don’t forget to add Domain Admins group in that case), or you can set
ms-DS-MachineAccountQuota attribute to 0.
Apart from preventing
ordinary user from adding computer to the domain, you may wonder which user
added that machine. You can see that info on the Security tab of the computer.
If an ordinary user added a computer, then this user is listed in the Access
Control List of the computer.
And, you can learn how
much quota consumed by a user, using “dsget user” command. For example, the
following command displays Tom’s quota info in kalem.org.tr domain:
dsget user
cn=tom,cn=users,dc=kalem,dc=org,dc=tr -part dc=kalem,dc=org,dc=tr –qused
And, you can use
dsquery user command to get all the users and pipe this info to dsget user
command. By doing so, you can learn all users’ quota info. The command will
look like this:
dsquery user | dsget
user -part dc=kalem,dc=org,dc=tr -qused –display