TIP: Stop users from adding their own computers to your Windows domain.
By default, when a Windows domain is created, users are granted the right to add up to ten workstations to the domain (in to the Computers container) without requiring any other privileges. Obviously this is a security risk so you should probably do something about it….
This ten computer policy is governed by the ms-DS-MachineAccountQuota attribute on the domain and you can adjust this down to zero by following the steps below:
- Open ADSI Edit from the Administrative Tools folder.
- Right-click ADSI Edit and choose Connect To.
- In the Connection Point section, choose Select A Well Known Naming Context and, from the drop-down list, choose Default Naming Context.
- Click OK.
- Expand Default Naming Context.
- Right-click the dc=[domain],dc=[com] domain folder, for example, and choose Properties.
- Select ms-DS-MachineAccountQuota and click Edit.
- Type 0.
- Click OK.
-Lewis
UPDATE: Remember that your cluster’s computer accounts will still need to be able to create Computer objects so grant them privileges to do so or you will block them from creating computer accounts.
Please check this post and give me your opinion
http://mabdelhamid.wordpress.com/2011/11/09/how-to-prevent-authenticated-users-from-joining-workstations-to-a-domain/