Add workstations to a domain

Information

Add workstations to domain

This security setting determines which groups or users can add workstations to a domain.

This security setting is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain.

Adding a computer account to the domain allows the computer to participate in Active Directory based networking. For example, adding a workstation to a domain enables that workstation to recognize accounts and groups that exist in Active Directory.

Default: Authenticated Users on domain controllers.

Note: Users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only 10 computer accounts. In addition, computer accounts that are created by means of Add workstations to domain have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right.

Solution

Policy Path: Local Policies\User Rights Assignment
Policy Name: Add workstations to a domain

See Also

https://www.microsoft.com/en-us/download/details.aspx?id=55319

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(7)(b)

Plugin: Windows

Control ID: 07777e84afbaf4e423285163794940e305a4cdb997883276b0577a6a09d4b6e8