Add workstations to domain

Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.

Reference

This policy setting determines which users can add a computer to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to ten workstations to the domain.

Adding a computer account to the domain allows the computer to participate in Active Directory-based networking.

This policy setting is supported on versions of Windows that are designated in the Applies To list at the beginning of this topic.

Possible values

User-defined list of accounts

Best practices

1. Configure this setting so that only authorized members of the IT team are allowed to add computers to the domain.

Location

Computer Configuration\Windows Settings\Security Settings\User Rights Assignment\

Default values

By default, this setting allows access for Authenticated Users on domain controllers, and it is not defined on stand-alone servers.

The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.

Server type or GPO

Default Domain Policy

Default Domain Controller Policy

Stand-Alone Server Default Settings

Domain Controller Effective Default Settings

Member Server Effective Default Settings

Client Computer Effective Default Settings

Operating system version differences

There are no differences in the way this policy setting works between the supported versions of Windows that are designated in the Applies To list at the beginning of this topic.

Policy management

Users can also join a computer to a domain if they have the Create Computer Objects permission for an organizational unit (OU) or for the Computers container in the directory. Users who are assigned this permission can add an unlimited number of computers to the domain regardless of whether they have the Add workstations to domain user right.

Furthermore, computer accounts that are created by means of the Add workstations to domain user right have Domain Administrators as the owner of the computer account. Computer accounts that are created by means of permissions on the computer’s container use the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstation to domain user right, the computer is added based on the computer container permissions rather than the user right.

A restart of the computer is not required for this policy setting to be effective.

Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Group Policy

Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

Local policy settings

Site policy settings

Domain policy settings

OU policy settings

When a local setting is greyed out, it indicates that a GPO currently controls that setting.

Security considerations

This policy has the following security considerations:

Vulnerability

The Add workstations to domain user right presents a moderate vulnerability. Users with this right could add a computer to the domain that is configured in a way that violates organizational security policies. For example, if your organization does not want its users to have administrative privileges on their computers, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could log on with that account, and then add a personal domain account to the local Administrators group.

Countermeasure

Configure this setting so that only authorized members of the IT team are allowed to add computers to the domain.

Potential impact

For organizations that have never allowed users to set up their own computers and add them to the domain, this countermeasure has no impact. For those that have allowed some or all users to configure their own computers, this countermeasure forces the organization to establish a formal process for these procedures going forward. It does not affect existing computers unless they are removed from and then added to the domain.

What is Windows 10 Pro for Workstations and How to Upgrade

There is a new member of the Windows 10 family called Windows 10 Pro for Workstations. The latest edition inherits features previously found in the standard Windows 10 Pro such as the Resilient File System. Microsoft is targeting this edition at its customers with the most demanding requirements such as those working in science and engineering. For example, one of the high-end capabilities found in Windows 10 Pro for Workstations is the ability to address up to 6 TBs of RAM. Meanwhile, Windows 10 Pro 64 bit, tops out at 2 TBs. In this article, we’ll take a look at whats in it and how to determine if is it right for you and how you can get it.

What’s included in Windows 10 Pro for Workstations?

Features exclusive to Windows 10 Pro for Workstations include the Resilient File System (first introduced in Windows 8); persistent memory; faster file sharing through SMB Direct; and support for the latest high-end workstation processors from Intel and AMD. Here’s a summary from the Windows Blog:

• ReFS (Resilient file system): ReFS provides cloud-grade resiliency for data on fault-tolerant storage spaces and manages very large volumes with ease. ReFS is designed to be resilient to data corruption, optimized for handling large data volumes, auto-correcting and more. It protects your data with integrity streams on your mirrored storage spaces. Using its integrity streams, ReFS detects when data becomes corrupt on one of the mirrored drives and uses a healthy copy of your data on the other drive to correct and protect your precious data.
• Persistent memory: Windows 10 Pro for Workstations provides the most demanding apps and data with the performance they require with non-volatile memory modules (NVDIMM-N) hardware. NVDIMM-N enables you to read and write your files with the fastest speed possible, the speed of the computer’s main memory. Because NVDIMM-N is non-volatile memory, your files will still be there, even when you switch your workstation off.
• Faster file sharing: Windows 10 Pro for Workstations includes a feature called SMB Direct, which supports the use of network adapters that have Remote Direct Memory Access (RDMA) capability. Network adapters that have RDMA can function at full speed with very low latency while using very little CPU. For applications that access large datasets on remote SMB file shares, this feature enables:
  • Increased throughput: Leverages the full throughput of high speed networks where the network adapters coordinate the transfer of large amounts of data at line speed.
  • Low latency: Provides extremely fast responses to network requests, and, as a result, makes remote file storage feel as if it is directly attached storage.
  • Low CPU utilization: Uses fewer CPU cycles when transferring data over the network, which leaves more power available to other applications running on the system.
• Expanded hardware support: One of the top pain points expressed by our Windows Insiders was the limits on taking advantage of the raw power of their machine. Hence, we are expanding hardware support in Windows 10 Pro for Workstations. Users will now be able to run Windows 10 Pro for Workstations on devices with high performance configurations including server grade Intel Xeon or AMD Opteron processors, with up to 4 CPUs (today limited to 2 CPUs) and add massive memory up to 6TB (today limited to 2TB).Source

How do you upgrade to Windows 10 Pro for Workstations?

The sound of Windows 10 Pro for Workstation features might make you think it’s out of reach for mere mortals, but it’s actually quite accessible. Users needing its unique features will be able to acquire it multiple ways. Of course, the easiest option is through one of Microsoft’s hardware partners such as Dell, HP or Lenovo. But for users who might have an existing system, you can get it through a couple other channels.

Users can upgrade to Windows 10 Pro for Workstations from the new Microsoft Store app. Open the Store, search for Pro, then click the result Windows 10 Pro for Workstations.

The cost to upgrade will vary. A full license will cost about $205, while an upgrade from Home or Pro will go for about $125.

If you are subscribed to Microsoft’s Visual Studio Subscriptions, you can download an ISO image containing the install files for Windows 10 Pro for Workstation. I did this, but I soon discovered that there is no actual specific option to choose Windows 10 Pro for Workstations during setup. The features are actually enabled as an add-on using the standard Windows 10 1709 image.

So, the first thing you will need to do is install Windows 10 Home or Pro Fall Creators Update version 1709. Next, grab a key from your MSDN subscription for Windows 10 Pro for Workstations.

Microsoft also notes on its software download page that you will need to first reinstall Windows 10 Pro if you plan on reinstalling Windows 10 Pro for Workstations. You will then be able to upgrade again through the new Microsoft Store app.

In Windows 10 Pro, open Start > Settings > Update & security > Activation.

Click the link to Change the product key, enter the product key then click Next.

Voila! Your installation is automatically transformed into Windows 10 Pro for Workstations. I didn’t even need to reboot. It turns out this edition is about enabling features, not fundamental changes to the operating system itself.

For users just curious to see what’s different in this particular edition and how it performs, you can try it out in an unactivated state. Microsoft documentation provides diagnostic keys for Windows 10 Pro for Workstation you can use to upgrade an existing installation.

How Does it Compare to Windows 10 Enterprise?

Windows 10 Pro for Workstations is not a superset of Enterprise—they are on par with each other and Microsoft plans to provide the same features in it to customers running that edition. For those who don’t know, Windows 10 Enterprise is a volume license client, available to organizations that deploy Windows 10 to hundreds or thousands of devices.

So, that’s how you can get Microsoft’s latest edition on your device. You won’t see any striking benefits on average machines. This is really for a specialized market where the hardware takes precedence. Everyday users and enthusiasts are best served by existing editions such as Home and Pro. Windows 10 Pro, in particular, is advantageous because of its numerous built-in controls, especially for services like Windows Update.

There you have it, Microsoft’s new powerful edition of Windows 10 for systems that need it. Let us know in the comments if you have a need for such an edition.

Windows 10 Pro for Workstations: что за редакция, как установить и активировать

После релиза масштабного апдейта April 2018 Update для Win10 в её официальном дистрибутиве появилась относительно новая редакция ОС — Pro for Workstations. Относительно новая потому, что о ней было известно ещё на этапе подготовки Fall Creators Update — предыдущего масштабного апдейта. Но тогда она в состав редакций официального дистрибутива не попала. Её можно было заполучить только по платной подписке путём обновления из текущих редакций Win10.

Теперь же эту редакцию можно установить с нуля из дистрибутива April 2018 Update . При этом у нас появляется возможность отложить на этапе установки ввод лицензионного ключа. И, соответственно, прежде его покупки протестировать работу специфической системы. Ниже рассмотрим, что это за редакция такая, как её установить и активировать.

1. Редакция Win10 для мощных компьютеров

Pro for Workstations (рус. для рабочих станций) – это подредакция редакции Pro (Профессиональная) «Десятки», заточенная под выжимку максимальной производительности компьютеров с мощным железом. Это касается, в частности, серверов и профессиональных компьютерных сборок.

Обеспечивается такой максимум производительности поддержкой некоторого оборудования и дополнительными функциональными возможностями, отсутствующими в прочих редакциях Win10. Ключ активации такой специфической редакции в магазине Microsoft Store стоит 21 899 руб. Для сравнения: в том же магазине ключ обычной Win10 Pro можно приобрести за 14 199 руб.

Pro for Workstations поставляется только для 64-битных систем. Для её использования необходимо загрузить на сайте Microsoft дистрибутив с внедрённым April Creators Update . И установить так же, как и обычную «Десятку», только с выбором на определённом этапе редакции с названием «Pro для рабочих станций».

Но что такого особенного в этой редакции, что она стоит на треть дороже обычной Pro?

2. Поддержка оборудования

Pro for Workstations может работать максимум с 4-мя процессорами и оперативной памятью до 6 Тб. Для сравнения: обычная Win10 Pro может использовать до 2-х процессоров и до 2 Тб ОЗУ. В числе поддерживаемых редакцией устройств – NVDIMM , современная энергонезависимая ОЗУ, способная сохранять данные при внезапном отключении электропитания.

А какие у Pro for Workstations функциональные особенности?

3. Предустановленные UWP-приложения

С виду Pro for Workstations это обычная Win10, которая традиционно устанавливается с продвигаемым контентом из Microsoft Store. Вот только среди UWP -приложений не обнаружим игр и развлечений, весь предустановленный из магазина контент – полезный. По мнению Microsoft, конечно же.

В числе предустановленных UWP-приложений:

• Code Writer — редактор программного кода;
• Органайзер Eclipse Manager;
• Приложение для диагностики скорости работы сети;
• Рисовалка Fresh Paint;
• Duolingo — клиент платформы для обучения иностранным языкам;
• И прочие.

4. SMB Direct

В Pro for Workstations входит системный компонент SMB Direct – наследие серверных Windows. Это технология увеличения производительности сети без нагрузки на процессор. Применяется в условиях использования специальных сетевых устройств с функцией RDMA .

5. ReFS

Pro for Workstations на сегодняшний день является единственной редакцией в линейке десктопных Windows с поддержкой ReFS — отказоустойчивой файловой системы. Одно время ReFS была реализована в обычных редакциях Win10 Pro, и в неё можно было форматировать несистемные диски. Но впоследствии эта возможность из обычной Win10 Pro исчезла. И стала одной из основных фишек Pro for Workstations. ReFS базируется на NTFS и является её эволюционным продолжением.

• предельный размер файла — 18,3 Эб;
• предельный размер раздела диска — 402 Эб;
• предельное количество знаков в имени и пути файла – 32767 шт.

Тогда как у NTFS эти значения составляют 16 Тб, 18,4 Эб и 255 шт. соответственно.

Но куда большими преимуществами ReFS считаются её большая надёжность в плане сохранности данных и лучшая производительность.

6. Новая схема электропитания

Новшество Pro for Workstations, которое появилось недавно, в проекте подготовки к April 2018 Update – новая схема электропитания, заточенная, опять же, под максимальную производительность компьютеров. При открытии системных схем электропитания

в этой редакции обнаружим не привычные три схемы, а четыре — с новой «Максимальная производительность».

Новая схема доступна только для стационарных устройств. Её эффект достигается за счёт прямого доступа к аппаратной части компьютера и, как следствие, снижения микрозадержек.

7. Как приобрести ключ и активировать

Pro for Workstations, как упоминалось, поставляется теперь как обычная другая редакция Win10. Следовательно, механизм приобретения её ключа и активации такой же, как и у других редакций. Идём в штатные параметры и кликаем ссылку активации.

Если ключ этой редакции уже есть, жмём опцию его изменения и вводим его.

Если ключа нет, в этом же разделе нажимаем «Устранение неполадок».

Отправляемся в Microsoft Store.

И вводим его в форму изменения ключа, как показано выше.