One of the things I still can’t understand is why users should be allowed to join computers to the domain. One Best Practice I always follow is to change the maximum number of machines an authenticated user can join to the domain to ZERO.
Users with permissions to create objects on specific OUs, by being Domain Admins or through delegated rights (use the delegation wizard) will still be able to create computer objects, and join computers to the domain.
To accomplish that follow the procedure bellow:
ADSIedit > Default Naming Context > “DC=domain,DC=com” > Properties > Attribute Editor:
Set: ms-DS-MachineAccountQuota to 0
ms-DS-MachineAccountQuota stores a numeric value of the number of computers that a user is allowed to join to the domain (actually it is the number of computer objects that that user is allowed to create in a domain). When a machine is joined to the domain, the authenticating Domain Controller searches the domain for all computers previously added by this user and compares that number against the value defined in ms-DS-MachineAccountQuota. If the number of computers created is less than the value defined in ms-DS-MachineAccountQuota then the operation succeeds. If not, the operation fails. Administrative users and delegated users are exempt from this quota because they have the necessary permissions to create computer objects anywhere in the domain, therefore the initial permissions checks succeed. By default, any authenticated user can join up to ten computers to the domain. This is because Authenticated Users has the right “Join workstations to the domain” by default, and because the default value for ms-DS-MachineAccountQuota is 10. Setting ms-DS-MachineAccountQuota to zero, stops authenticated users from joining workstations to the domain.
Requirments: at least 2003 Domain functional level