Restrict Domain Joining to Admin Users Only
Only authorised users can add computers to the network to maintain security.
Plain language
This rule ensures that only the right people, usually the IT folks with special permissions, can connect new computers to your company's network. It matters because if anyone could add devices, it could allow hackers to sneak in with unsafe computers and potentially cause data breaches or system failures.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Unprivileged user accounts cannot add machines to the domain.
Why it matters
Allowing unprivileged users to join devices can add untrusted hosts to the domain, enabling unauthorised access and increasing malware risk.
Operational notes
Audit domain-join rights (e.g., AD 'Add workstations to domain') and restrict to approved admin groups; monitor domain-join events for misuse.
Implementation tips
- IT Manager should identify authorised personnel: Make a list of who in the IT team is allowed to add computers to the network. This list should only include people with the right skills and trust level.
- System Administrator should configure settings: Adjust the network settings so that only accounts with admin rights can add new devices. This typically involves setting permissions in the Active Directory panel.
- HR should coordinate with IT for departures: When someone leaves the organisation, ensure that their admin rights are evaluated and revoked if necessary. Communicate clearly with IT to maintain updated access controls.
- Management should support IT policy updates: Approve and promote the policy that states only authorised users can add devices to the network. Make sure everyone understands why this rule is crucial for security.
- IT Team should provide training: Educate authorised users on the process of adding devices and the security risks involved. Regularly update this training to include any new security measures or technological changes.
Audit / evidence tips
-
Askthe list of authorised users: Request to see the document or system record showing who is permitted to join devices to the domain
-
GoodThe list should match the permissions in the system, with documented approvals for each user
-
Askpolicy documents: Request the written policy that outlines this access restriction
-
GoodA clear policy document, recent training records, and a regular review schedule
-
Aska recent access review report: Request a report showing when permissions were last checked and updated
-
GoodThe report shows timely updates with resolved any discrepancies
-
Asklogs of device joins: Request logs that show who added what devices to the network
-
GoodLogs only show authorised users performing actions relevant to their roles
Cross-framework mappings
How ISM-1841 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | ISM-1841 requires restricting the ability to join computers to a domain so that unprivileged users cannot perform domain joins | |
| Annex A 8.3 | ISM-1841 requires that only authorised users can add computers to the domain, preventing unprivileged accounts from joining machines | |
| handshake Supports (1) expand_less | ||
| Annex A 5.18 | ISM-1841 requires that only authorised users can join devices to the domain, which is an access right that must be tightly controlled | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML1.2 | ISM-1841 requires that unprivileged user accounts cannot add machines to the domain (i.e | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.