Hi
I've already configured the Add workstations to domain on default domain policyso only tier-2 IT members can add computers to a domain.
Now, as sometimes they forget to properly move computers from container COMPUTERS to proper OU, I want to prevent them to use the Computer container.
From ADUC I've modified security settings on COMPUTER container and removing create/delete computer objects to their security group (so only domain admins and default groups such as backup operators have default security rights) and instructed them to join computers using Add-Computer -Domainname "domain" -OUPath distinguishedName
I tested from ADUC drag and drop computers from and to COMPUTERS container and everything seems fine, but then I attempted to join a computer using usual button from Computer Name popup and still managed to join computer to COMPUTERS container. (used an account that is in Tier-2 security group).
Any suggestion on how could I prevent this?
Main reasons for this are:
Can't apply GPOs to COMPUTERS so I can't prevent someone to log in locally if it's missconfigured.
GPP for printers, network shares and so on aren't applied either so users tend to call for support asking for them.
Thanks in advance