Запрет пользователям ввод в домен ПК

Оказывается, по умолчанию, в AD каждый пользователь может вводить в домен компьютеры. Т.е. вообще любой пользователь AD может добавить свой личный ноутбук в домен без ведома администратора. Чтобы заблокировать эту возможность, необходимо изменить всего лишь один атрибут.

The number of workstations currently owned by a user is calculated by looking at the ms-DS-CreatorSID attribute of machine accounts.

To modify Active Directory to allow more (or fewer) machine accounts on the domain, use the Adsiedit tool.

WARNING Using Adsiedit incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Adsiedit can be solved. Use Adsiedit at your own risk.

1. Install the Windows Support tools if they have not already been installed. This is necessary only for Windows 2000 and Windows Server 2003. For Windows Server 2008 and Windows Server 2008 R2, Adsiedit is installed automatically when you install the Active Directory Domain Services role.
2. Run Adsiedit.msc as an administrator of the domain. Expand the Domain NC node. This node contains an object that begins with "DC=" and reflects the correct domain name. Right-click this object, and then click Properties.
3. In the Select which properties to view box, click Both. In the Select a property to view box, click ms-DS-MachineAccountQuota.
4. In the Edit Attribute box, type the number of workstations that you want users to be able to maintain concurrently.
5. Click Set, and then click OK.

ссылка

Add workstations to domain