How to determine which user added a computer to the domain

In Windows NT, only Domain Admins group had the right to add computer accounts to the domain. So, when were prompted to enter a user information while the domain join operation, you had to give an admin’s name and password.

Starting with Windows 2000, ordinary users have the right to add computers to the domain. This right is determined under “Default Domain Controllers Policy”’s Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment section. The right is “Add workstations to domain”. By default, “Authenticated Users”, meaning any user who is authenticated, is assigned to that right.

Ordinary users can add computers to domain but they have an Active Directory Quota, saying that ordinary users can add maximum 10 computers to the domain. This quota can be seen and changed using Adsiedit.msc console. Quota is determined by the ms-DS-MachineAccountQuota attribute on the domain object.

You can prevent ordinary users from adding computers to the domain by changing either one; you can remove Authenticated Users from the “Add workstations to the domain” right (don’t forget to add Domain Admins group in that case), or you can set ms-DS-MachineAccountQuota attribute to 0.

Apart from preventing ordinary user from adding computer to the domain, you may wonder which user added that machine. You can see that info on the Security tab of the computer. If an ordinary user added a computer, then this user is listed in the Access Control List of the computer.

And, you can learn how much quota consumed by a user, using “dsget user” command. For example, the following command displays Tom’s quota info in domain:

dsget user cn=tom,cn=users,dc=kalem,dc=org,dc=tr -part dc=kalem,dc=org,dc=tr –qused

And, you can use dsquery user command to get all the users and pipe this info to dsget user command. By doing so, you can learn all users’ quota info. The command will look like this:

dsquery user | dsget user -part dc=kalem,dc=org,dc=tr -qused –display