Compartir a través de


PS without BS: How many times have you joined the domain?

Ever since the beginning of what is today called Active Directory, the default has always been to let "Authenticated Users" join computers to the domain. Authenticated Users is essentially anyone with a domain credential to access the network. This, of course, comes with a trade off - these "authenticated" users can only join computers 10 times to the domain.

What problem are we trying to solve? I had a customer who was building an OS deployment and was quite pleased with the results until the task sequence failed to join computers to the domain. Of course, it's not the task sequence, it's Active Directory rights and permissions.

Of course, this is configurable. You can turn this off completely (as a user rights assignment to the domain) or raise the limit using ADSIEdit. So, how do you know how many times an account has joined the domain? Here's a quick PowerShell which will show computers joined to the domain, and who did it.

Get-ADComputer -Filter * -Properties ms-DS-CreatorSID
| Where-Object -FilterScript { $_."ms-DS-CreatorSID" -ne $Null }
| Format-Table -AutoSize -Property Name,@{Label='User';Expression={(New-Object System.Security.Principal.SecurityIdentifier($_."mS-DS-CreatorSID".Value)).Translate([System.Security.Principal.NTAccount]).Value}}

How does it know? The ms-DS-CreatorSID on the computer object is populated. So, how does this populate? Well, anyone who joins a computer to the domain unless....
1. They are a member of Domain Admins, giving them unlimited domain joins to anywhere in the domain.
2. They are given delegated rights to the OU in question, giving them unlimited domain joins to the OU.

In either of the above 2 cases, the ms-DS-CreatorSID is not populated, and therefore doesn't count against the user joining the computer. This is why you may ask, I've joined computers to the domain 1000 times and it never failed. It's because. of one of the above 2 conditions.

Just some random fun from a troubleshoot and wanted to share that if you were wondering why your OS Deployment randomly may appear to work and fail joining a computer to the domain.

-- If you like my blogs, please share it on social media, rate it, and/or leave a comment. --