CCE-93720-1Platform: cpe:/o:microsoft:windows_server_2019 | Date: (C)2020-09-22 (M)2023-07-04 |
Add workstations to domain
This policy setting specifies which users can add computer workstations to a specific domain. For this policy setting to take effect, it must be assigned to the user as part of the Default Domain Controller Policy for the domain. A user who has been assigned this right can add up to 10 workstations to the domain. Users who have been assigned the Create Computer Objects permission for an OU or the Computers container in Active Directory can add an unlimited number of computers to the domain, regardless of whether they have been assigned the Add workstations to a domain user right.
By default, all users in the Authenticated Users group have the ability to add up to 10 computer accounts to an Active Directory domain. These new computer accounts are created in the Computers container.
When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers.
Parameter:
[default]
Technical Mechanism:
(1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment!Add workstations to domain
(2) WMI: root
sopcomputer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeMachineAccountPrivilege' and precedence=1
CCSS Severity: | CCSS Metrics: |
CCSS Score : 9.1 | Attack Vector: NETWORK |
Exploit Score: 2.3 | Attack Complexity: LOW |
Impact Score: 6.0 | Privileges Required: HIGH |
Severity: CRITICAL | User Interaction: NONE |
Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | Scope: CHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:56737 |