Hey, I'm having quite the time with this one. I have modified our default domain policy so that only Domain Administrators can join computers to our domain (along with an SMS account). It seems to work with all of my test accounts but today I ran into
a user who was able to join a computer to our domain. I tried to trace as best I could his group memberships and it does not seem that he is linked to the Domain Admin group at all. I have a feeling that at one time, one of our previous crazy admins may have
added him to the Domain Admin group but he has been removed for some time now. He does not have permissions to install software on the machine once it is added to the domain which is another hint that this is correct. Also, I tested joining a computer to the
domain with a test account which mimics the typical user and the access was restricted as expected. To test, I made a copy of the user's account and when I tried to add the same computer (as previous test) to the domain it succeeded. Any suggestions on how
to trace this one down would be great. Thanks!
↧