Active Directory: Prevent any user from joining the Domain.
- Open Group Policy Management Console ( Start > Run > gpmc.msc).
- Locate Domain Controllers OU and find Default Domain Controllers Policy.
- Edit Default Domain Controllers Policy.
- Expand Computer Configuration > Policies > Windows Settings – Security Settings > User Rights Assignment
- From right pane right click on “Add workstations to domain” policy and remove Authenticated Users. Add the specific user(s) or group(s) you want to delegate to allow the permissions to join computers to the domain. In your organization, this may be a certain service account or ADM level account.
- Click Apply and then OK to close the Properties window.