Joining domain Hacks

[lurch2112]

I have a single domain at a school where I have a number of student laptops that have showed up as part of our domain. Other than knowing the admini password, are there any know hacks for a savy student to join the domain. I know I need to change the password, I just have not heard of any other way to join a domain.

Thanks in advance.

 

[Grymz]

Hmm, not that i know of, but what they might be doing is using their Domain accounts to log the computer into the domain. For instance: they plug their computer into the network boot and log in locally, then they UNC onto a server or other shared resource and when it prompts them for a login they login like:

yourdomainname\username
password

This will allow the computer to effectively join the domain without having the admin password, it only lasts until the user log's out though.

I do that all the time at work with my laptop to avoid having to join it, but still have access to the network and internet.

Just an idea though.

 

[lurch2112]

Thanks for the info. I think that is what is happening. I have talked to a couple of the students whose name showed up.

 

[Marcs41]

Huh .. you cannot just simply join a domain or add a computer if you do not have the right permissions.
I think you should start looking at putting some extra security and policies on your server.

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC![/sub]

 

[sirknight1919]

Using group policy and re-setting user permission is the best way!

 

[Seaspray0]

Give this a try and see what happens.

On your domain shares, you can adjust the share security settings for those shares you only want to make available to domain computers. Put all your domain computers into a security group. On your shares, give share access to this security group and not user security groups. Use NTFS permissions to clamp down on domain user access.

If the user isn't on a computer that is part of the domain, they don't get share access. If they are on a domain client, then the NTFS permissions will give them the rights they are assigned.

 

[jpederson]

Not sure if this is what you are experiencing but...

Windows 2000 grants the "add workstation to domain" permission to Authenticated Users for 10 machine accounts. This enables any valid domain user to join machines to the domain by supplying only their ordinary user credentials.

This default behavior can be turned off via an ADSI script or by using the Resource Kit tool Ldp.exe. The attribute you need to modify is ms-DS-MachineAccountQuota. Change it from 10 to zero.

Now only Domain Admins or those explicitly granted the "Create Computer Objects" and "Delete Computer Objects" permissions will be able to join machines to the domain.

Hope this helps!

 

[apedescendant]

What any user can add a machine to a domain if they are an admin aof the local machine?

Isn't that a big prob?

 

[quell]

I’m not for sure if this will help or not but here is my 2 cents worth. I have computers on my network that are not part of the domain. If they want to access domain resources (shares, printers etc..) they have to enter an domain account name and password such as grymz pointed out. They need admin access to actually make the there pc join the domain. However, most students just use the network for access to the internet so they can download files, surf etc.. They do not try and join the domain or access domain resources. There pc name will still show up in AD and DNS/DHCP manager but they are not part of the domain. I’m sure there are ways to stop this but I’m new to this network admin position and still learning. I think I will try what seaspray0 recommended though. Thank you