Active Directory Health Check

PingCastle does a really nice report on where the problems with active directory are with great descriptions of how to fix each problem. Can’t recommend this enough.

Did you know that any member of Authenticated users can add workstations to the domain by default?!? Change this in the Default Domain Controllers AD policy. (changing it the Default Domain policy won’t fix the problem)

Computer Configuration\Windows Settings\Security Settings\(Local Policies)\User Rights Assignment\Add workstations to domain

Ref https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain