Please Help- How to restrict anyone from creating computer accounts in default computer container?

Hello,

How to restrict anyone from creating computer accounts in default computer
container, when joining domain.
I have removed "Authenticated users" group from Computer>Security
properties. I have removed from GPO as "Add workstaions to domain"
still it doesn't apply.

Basically, i want to setup in such a way that computer account has to be
precreated in different OU as per Departments, and not in default container.
If Computer account does not exist, then it should error out.

This is on Win2003 AD.

Thanks

Sunny

 

For normal users you can prevent this by setting the ms-DS-MachineAccountQuota
on the domain head object to 0.

 

Sunny says...

Hi Sunny,

easiest way in my opinion: Go into the default domain controllers policy, to
computer settings, windows settings, security settings, local settings,
userpolicies (naming may vary, I'm sitting in front of a non-english machine
right now). Find the right "Add Workstations to the domain" and remove
authenticated users.

If you want certain groups to be able to add workstations to certain OUs you
can delegate the right as Jorge elaborately explained.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org