Guest Craig Posted July 4, 2007 Posted July 4, 2007 Is it possible to prevent client PCs below Windows XP SP2 from joining a Windows 2003 Active Directory Domain? Specifically Windows 2000. Craig
Guest Ryan Hanisco Posted July 4, 2007 Posted July 4, 2007 RE: Require Minimum OS Before Joining Domain Craig, I would start by controlling the people who are allowed to join workstations to the domain and make sure they understood the policy. From there, there is no built-in technical solution to prevent that. You can, however, redirect all newly joined workstations to an OU rather than to Computers. You can put a policy on the OU to not allow logon. This means that an administrator with rights to that OU, you perhaps, will have to move the workstation into an appropriate OU. At that point you can check the OS listed. http://support.microsoft.com/default.aspx/kb/324949 Hope this helps. -- Ryan Hanisco MCSE, MCTS: SQL 2005, Project+ Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. "Craig" wrote: > Is it possible to prevent client PCs below Windows XP SP2 from joining a > Windows 2003 Active Directory Domain? Specifically Windows 2000. > > Craig >
Guest Herb Martin Posted July 4, 2007 Posted July 4, 2007 Re: Require Minimum OS Before Joining Domain "Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message news:6EF6DF44-A439-40E0-B491-D2809C026B6F@microsoft.com... > Craig, > > I would start by controlling the people who are allowed to join > workstations > to the domain and make sure they understood the policy. > > From there, there is no built-in technical solution to prevent that. You > can, however, redirect all newly joined workstations to an OU rather than > to > Computers. You can put a policy on the OU to not allow logon. This means > that an administrator with rights to that OU, you perhaps, will have to > move > the workstation into an appropriate OU. At that point you can check the > OS > listed. > > http://support.microsoft.com/default.aspx/kb/324949 (Everything Ryan said) And if you are really serious about this you could setup a GPO with a WMI filter on OS Version that made any unapproved stations worthless. It's evil and might cause you more problems in the long run, and it isn't really going to stop the joining but it would keep them from doing it very often. You could also right a script to test OS version and disable such accounts. -- Herb Martin, MCSE, MVP http://www.LearnQuick.Com (phone on web site)
Guest Ryan Hanisco Posted July 5, 2007 Posted July 5, 2007 Re: Require Minimum OS Before Joining Domain :) By now everyone here knows that I am a major supporter of the enterprise corporation rather than the small business trying to run a few PCs. I tend to thing in the abstract thousands rather thna the managable few. That being said, I certanly support the "evil" maintenance of the few rather than the possibly harmful trust of a small group of admins. It all comes down to managing your environment with the appropriate level of control according to your tolerance for risk!! -- Ryan Hanisco MCSE, MCTS: SQL 2005, Project+ Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. "Herb Martin" wrote: > > "Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message > news:6EF6DF44-A439-40E0-B491-D2809C026B6F@microsoft.com... > > Craig, > > > > I would start by controlling the people who are allowed to join > > workstations > > to the domain and make sure they understood the policy. > > > > From there, there is no built-in technical solution to prevent that. You > > can, however, redirect all newly joined workstations to an OU rather than > > to > > Computers. You can put a policy on the OU to not allow logon. This means > > that an administrator with rights to that OU, you perhaps, will have to > > move > > the workstation into an appropriate OU. At that point you can check the > > OS > > listed. > > > > http://support.microsoft.com/default.aspx/kb/324949 > > (Everything Ryan said) And if you are really serious about this > you could setup a GPO with a WMI filter on OS Version that > made any unapproved stations worthless. > > It's evil and might cause you more problems in the long run, and it > isn't really going to stop the joining but it would keep them from > doing it very often. > > You could also right a script to test OS version and disable such > accounts. > > > -- > Herb Martin, MCSE, MVP > http://www.LearnQuick.Com > (phone on web site) > > >
Recommended Posts