So, by default any AD user has the right to add 10 computers to the domain. My initial reaction to that factoid caused me to erupt my first sip of coffee all over my monitor. “This is on by DEFAULT?!” I howled as I searched for how to stop that behavior.
A colleague of mine told me to simmer down. His take was that if a user added a machine to the domain, it would allow the domain admins to control it as well as apply all of our GPOs to it, which would (supposedly) be a good thing.
I can see things from that perspective, but I still bristle at the idea. Any opinions that you folks would like to share on this topic? Have you changed that default? Ever had anyone join computers that you were unaware of?
Okay, so if someone plugs a computer into the network, whatever digital ills that machine has are now on the network. If it’s a Windows machine and the person feels compelled to join it to the domain (we have a few savvy users that can and have done that) the computer is now ostensibly under our control (insert ominous laughter here) which should mitigate some of those threats. I guess. Hmmmm. >:-|