Active Directory Domain Join Permissions

As an Active Directory administrator, you must have come across surprisingly new computers are joined in your domain. This is a newer feature in Microsoft Windows Servers that any authenticated user can join a workstation to the domain.

This feature is useful in an environment where strict BYOD policies are set. But for me, it is a threat and may lead to uncontrolled computer hierarchy.

There are few ways to avoid this, but below group policy method is much easier.

Open Group Policy Management Console (GPMC) and navigate to Domain Controllers OU under your domain.

Group Policy Management Console

Right click ‘Default Domain Controller Policy’ and Edit. Then navigate to Computer Configurations\Policies\Windows Settings\Security Settings\Local Policies\User Right Assignment.

User Right Assignment

Right click ‘Add workstations to domain’ and Properties. Remove ‘Authenticated users’ and add whoever needs access to join workstations to domain. I prefer to keep only Domain Admins.

Add workstation to domain

Thats it! You can run a gpupdate in all your DCs to take the new policy immediately.