Share via

scripting aser rights assignment

YaroC 316 Reputation points
2021-07-01T14:29:24.443+00:00

I'm looking for a way of clearing the "add workstation to domain" right from existing accounts. I found some info on Revoke-privilege commandlet but can't see it available in v5. Where this is to be implemented I have no access to Internet so can't use the ntrights app that may still work for Server 2016. What would be other way of doing this on a fairly big number of machines not through a GPO?

Windows for business Windows Server User experience Other
Windows for business Windows Client for IT Pros User experience Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-07-02T00:48:30.65+00:00

    Hi,
    By default, Domain Controllers allow users to join 10 workstations to the domain.

    We can change it to 0 by editing the ms-DS-MachineAccountQuota value in ADSI Edit.

    Open Active Directory Services Interface Console (ADSI Edit) ( Start > Run > adsiedit.msc)
    Right click on ADSI Edit and click on Connect to...
    Select "Default naming context" from the well known naming context dropdown menu
    Right click Domain Name and click on Properties
    On the Attribute Editor Tab scroll down to ms-DS-MachineAccountQuota
    Click Edit ms-DS-MachineAccountQuota and set to 0, Click OK to exit.
    Note:
    That users in the Administrators or Domain Administrators groups, and those users who have delegated permissions on containers in Active Directory to create and delete computer accounts, are not restricted by this limitation.

    If i misunderstand you, please feel free to let me know.

    Best Regards,

    0 comments
  2. YaroC 316 Reputation points
    2021-07-02T10:53:23.9+00:00

    Thanks but I have no access to DCs so it all needs to be set in local policy.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.