Microsoft KB Archive/824195

= You Cannot Restrict Domain Users Who Have Local Administrator Permissions from Resetting and Registering Computer Accounts =

Article ID: 824195

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server

-





SYMPTOMS
When you try to configure computer object permissions in the Active Directory directory service so that users can join their computers to the domain, and you also want to make sure that all the following restrictions are enforced
 * Only a domain administrator can register a computer account.
 * Users cannot reset a computer account.
 * Users cannot register a computer account.
 * Users have local Administrator permissions on their own respective computers, and they have Domain Users permissions in the domain.

your attempt to enforce these restrictions is unsuccessful. Specifically, users can reset and register the computer account in the domain.



CAUSE
This issue occurs because, if you grant local Administrator permissions to a user, that user has access to the computer account password and can reset or register the computer account in the domain. The computer's password is stored in a local secret location that is fully accessible to the local administrator.

Keywords: kbwinservds kbactivedirectory kbprb KB824195

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.