حذف قابلیت جوین کردن ۱۰ کامپیوتر به دومین توسط یوزرها

[Hanif]

به صورت استاندارد هر یوزر شناسایی یا تصدیق شده authenticated User میتواند ۱۰کامپیوتر را به دومین Join کند .

اگر بخواهیم این قابلیت را برای یوزرها حذف کنیم، از راه زیر استفاده میکنیم .

کنسول ADSIEdit را باز میکنیم .

بعد از باز شدن کنسول، روی ADSIEdit کلیک سمت راست موس را کرده و Connect to را انتخاب میکنیم .

Default naming context را انتخاب کرده و OK را کلیک میکنیم .

حالا روی نام دومین DC=Contoso,DC=Com کلیک سمت راست کرده و Properties را کلیک میکنیم .

حالا ms-DS-MachineAccountQuota را پیدا میکنیم. همانطور که میبینید، مقدار آن به صورت استاندارد ۱۰میباشد .

مقدار آن را به صفر 0 تغییر داده و OK را کلیک میکنیم .

از این به بعد یوزرها دیگر نمیتوانند کامپیوتر به دومین Join کنند. اگر میخواهید به یک یوزر یا گروه قابلیت Join کردن کامپیوتر به دومین را بدهید، از Active Directory Delegation استفاده کنید

منبع : microsoft

---

موضوعات مشابه:

• در هنگام لاگین به کامپیوتر اگر اتصال کامپیوتر از شبکه قطع باشد باز هم یوزر می تواند وارد گردد
• گرفتن مجوز ایجاد یوزر توسط گروه پاور یوزر
• چرا در شبکه بعد از اینکه کامپیوتری را وارد دامین می کنیم و بعد با یوزر وارد آن سیستم میشویم درایوها
• پینگ یک کامپیوتر راه دور توسط کامپیوتر راه دور دیگر
• گرفتن dns توسط یوزرهایی که توسط e1 وصل میشوند

---

[th95]

لینک زیر در خصوص اینکه چگونه بررسی میشود فرد دارای دسترسی جوین سیستم به دومین هست یا خیر توضیحات بسیار خوبی ارائه داده

msresource.net - INFO: How does mS-DS-MachineAccountQuota work?


Permissions Validation

When a user attempts to join a computer to the domain, the authenticating Domain Controller checks to see if the user context performing the operation has the CREATE_CHILD permission for computer objects on the parent container (by default this is CN=Computers, DC=DNS-domain-name, however this can be redirected in 2003 functional mode). If the user context has this permission the check succeeds and the user can add the workstation to the domain without exception. If the user context doesn't have [computer] CREATE_CHILD permissions, then the user right SE_MACHINE_ACCOUNT_PRIVILEGE (Add workstations to the domain) is checked. If the user has this right, then the user can continue to add the workstation to the domain if the quota defined is not exceeded. If the user doesn't have this right, then the user cannot add a workstation to the domain.

Note. By default, the Authenticated Users security principal has the right SE_MACHINE_ACCOUNT_PRIVILEGE.
This series of events looks something like this:

• User attempts to join machine to the domain (local administrator permissions required)
• Domain Controller checks to see if user has permissions to create computer objects in the default computers container.
• If the user has the necessary permissions, ms-DS-MachineAccountQuota is not checked. Operation will succeed.
• If the user doesn't have the necessary permissions, the Domain Controller checks to see if the user has the user right "Join workstations to the domain".
• If the user has the necessary right, ms-DS-MachineAccountQuota is checked. Operation will succeed if the number of objects created by this user is less than that defined in ms-DS-MachineAccountQuota.
• If the user has neither the create computer object permission or join workstations to the domain right then the operation will fail and the user is notified that they do not have permissions to carry out the request. If the user has the right Join workstations to the domain but has exceeded the value defined in ms-DS-MachineAccountQuota then the operation fails and the user is notified that he/ she cannot join any more machines to the domain.

Quota Validation

If the necessary permissions are not held by the user in question, the Domain Controller then checks to see if the user is allowed to add this computer to the domain based on the domain-quota for domain membership additions. To do this check, the Domain Controller searches the domain for any computer objects where the ms-DS-CreatorSID equals the objectSID of the user performing the operation. If the number of computers returned by the query is less than the quota defined in ms-DS-MachineAccountQuota then the account is created, the ms-DS-CreatorSID attribute is stamped with the SID of the user (objectSID) and the owner of the new computer object is set to Domain Admins.

Note. ms-DS-CreatorSID is indexed, therefore this is a very fast search.
This series of events looks something like this:

• User allowed to create computer objects if quota not exceeded, therefore check quota
• If (&(objectCategory=computer)(ms-DS-CreatorSID=objectSID)) returns fewer results than the value of ms-DS-MachineAccountQuota then
• Create computer, set ms-DS-CreatorSID to the SID of the user and set Domain Admins as the owner

Note. Due to the way that this works, the quota is only loosely enforced. That is, a user cannot add more computers to the domain than the quota if all previous computer accounts created exist. In addition, it might be possible to add one or two computers that actually exceed the value defined in the quota.

As an example, if a computer account was created in the past and the computer decommissioned (and the object removed from Active Directory) then the count returned by the LDAP query will be number of computers joined to the domain - number of computer objects that were joined but are no longer in the directory. Which means another computer can be added.

As another example, it is also possible that more than the quota value can be added if the user in question were able to target multiple Domain Controllers within the replication latency. However, this isn't really easy to do and wouldn't cause much of an exception to the quota if it did happen.