Require Minimum OS Before Joining Domain

C

Craig

Is it possible to prevent client PCs below Windows XP SP2 from joining a
Windows 2003 Active Directory Domain? Specifically Windows 2000.

Craig
 
R

Ryan Hanisco

Craig,

I would start by controlling the people who are allowed to join workstations
to the domain and make sure they understood the policy.

From there, there is no built-in technical solution to prevent that. You
can, however, redirect all newly joined workstations to an OU rather than to
Computers. You can put a policy on the OU to not allow logon. This means
that an administrator with rights to that OU, you perhaps, will have to move
the workstation into an appropriate OU. At that point you can check the OS
listed.

http://support.microsoft.com/default.aspx/kb/324949

Hope this helps.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.


"Craig" wrote:

> Is it possible to prevent client PCs below Windows XP SP2 from joining a
> Windows 2003 Active Directory Domain? Specifically Windows 2000.
>
> Craig
>
 
H

Herb Martin

"Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message
news:6EF6DF44-A439-40E0-B491-D2809C026B6F@microsoft.com...
> Craig,
>
> I would start by controlling the people who are allowed to join
> workstations
> to the domain and make sure they understood the policy.
>
> From there, there is no built-in technical solution to prevent that. You
> can, however, redirect all newly joined workstations to an OU rather than
> to
> Computers. You can put a policy on the OU to not allow logon. This means
> that an administrator with rights to that OU, you perhaps, will have to
> move
> the workstation into an appropriate OU. At that point you can check the
> OS
> listed.
>
> http://support.microsoft.com/default.aspx/kb/324949

(Everything Ryan said) And if you are really serious about this
you could setup a GPO with a WMI filter on OS Version that
made any unapproved stations worthless.

It's evil and might cause you more problems in the long run, and it
isn't really going to stop the joining but it would keep them from
doing it very often.

You could also right a script to test OS version and disable such
accounts.


--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
 
R

Ryan Hanisco

:) By now everyone here knows that I am a major supporter of the enterprise
corporation rather than the small business trying to run a few PCs. I tend
to thing in the abstract thousands rather thna the managable few.

That being said, I certanly support the "evil" maintenance of the few rather
than the possibly harmful trust of a small group of admins. It all comes
down to managing your environment with the appropriate level of control
according to your tolerance for risk!!
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.


"Herb Martin" wrote:

>
> "Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message
> news:6EF6DF44-A439-40E0-B491-D2809C026B6F@microsoft.com...
> > Craig,
> >
> > I would start by controlling the people who are allowed to join
> > workstations
> > to the domain and make sure they understood the policy.
> >
> > From there, there is no built-in technical solution to prevent that. You
> > can, however, redirect all newly joined workstations to an OU rather than
> > to
> > Computers. You can put a policy on the OU to not allow logon. This means
> > that an administrator with rights to that OU, you perhaps, will have to
> > move
> > the workstation into an appropriate OU. At that point you can check the
> > OS
> > listed.
> >
> > http://support.microsoft.com/default.aspx/kb/324949
>
> (Everything Ryan said) And if you are really serious about this
> you could setup a GPO with a WMI filter on OS Version that
> made any unapproved stations worthless.
>
> It's evil and might cause you more problems in the long run, and it
> isn't really going to stop the joining but it would keep them from
> doing it very often.
>
> You could also right a script to test OS version and disable such
> accounts.
>
>
> --
> Herb Martin, MCSE, MVP
> http://www.LearnQuick.Com
> (phone on web site)
>
>
>
 
You must log in or register to reply here.

Similar threads

G
How to stop Windows 10 Enterprise from using logged in user's credentials for wireless
Replies
0
Views
53
G_781
G
R
Can't Join Client PCs to Newly Created Domain
Replies
0
Views
42
Roger Best1
R
J
Disabling Domain Administrator Account
Replies
0
Views
15
JasimKP1
J
S
LDAP Signing on Client machines & Domain controllers
Replies
0
Views
11
sonumakkar
S
P
Unable to open Active Directory in Domain Controller
Replies
0
Views
33
Phaandiyan Anparasan
P
Back
Top Bottom