PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Domain Controller: Add workstations to domain user right must only be assigned to the Administrators group on domain controllers

e88ec1dd-3e44-424f-930e-fde45ff8192b

Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.

Accounts with the "Add workstations to domain" right may add computers to a domain. This could result in unapproved or incorrectly configured systems being added to a domain.

Remediation

To fix this configure the policy value for
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Local Policies
|_ User Rights Assignment
|_ Add workstations to domain to include only the following accounts or groups:

  • Administrators

STIG: Server
2025: https://system32.eventsentry.com/stig/viewer/V-278166
2022: https://system32.eventsentry.com/stig/viewer/V-254419
2019: https://system32.eventsentry.com/stig/viewer/V-205744
2016: https://system32.eventsentry.com/stig/viewer/V-224998

NIST 800-53 : AC-3, AC-6, CM-5, CM-6
NIST 800-171: 3.1.1, 3.1.2, 3.4.5, 3.4.6
CMMC v2.0 L2: AC.L2-3.1.1, AC.L2-3.1.2, CM.L2-3.4.5, CM.L2-3.4.6
PCI-DSS v4.0: 2.2.1, 7.2.1
HIPAA SR : ยง164.312(a)(1)
HIPAA HICP : Practice 3 (Identity and Access Management), Practice 5 (Asset Management)



Tags

stig-medium-server nist800-171-server nist800-53-server pci-dss-v4-server hipaa-server cmmc2-l2-server

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.