question

YaroC-2432 avatar image
0 Votes"
YaroC-2432 asked FanFan-MSFT edited

scripting aser rights assignment

I'm looking for a way of clearing the "add workstation to domain" right from existing accounts. I found some info on Revoke-privilege commandlet but can't see it available in v5. Where this is to be implemented I have no access to Internet so can't use the ntrights app that may still work for Server 2016. What would be other way of doing this on a fairly big number of machines not through a GPO?

windows-serverwindows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT edited

Hi,
By default, Domain Controllers allow users to join 10 workstations to the domain.


We can change it to 0 by editing the ms-DS-MachineAccountQuota value in ADSI Edit.

Open Active Directory Services Interface Console (ADSI Edit) ( Start > Run > adsiedit.msc)
Right click on ADSI Edit and click on Connect to...
Select "Default naming context" from the well known naming context dropdown menu
Right click Domain Name and click on Properties
On the Attribute Editor Tab scroll down to ms-DS-MachineAccountQuota
Click Edit ms-DS-MachineAccountQuota and set to 0, Click OK to exit.
Note:
That users in the Administrators or Domain Administrators groups, and those users who have delegated permissions on containers in Active Directory to create and delete computer accounts, are not restricted by this limitation.

If i misunderstand you, please feel free to let me know.

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YaroC-2432 avatar image
0 Votes"
YaroC-2432 answered FanFan-MSFT edited

Thanks but I have no access to DCs so it all needs to be set in local policy.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
If we can't access the DCs, I'm afraid we can't change the user permissions.

Best Regards,

0 Votes 0 ·