1

We need to test if customer PCs/Laptops meet certain criteria, and one of them is they must have a device that's domain joined - no home users, no serverless non-domain scenarios.

With Azure, the way to check is to query "dsregcmd /status | find /I "AzureAdJoin", then look for the result, which can be piped out to a file.

Won't do it - does not produce any result unless it's in a batch file that runs by clicking the.bat file. Calling the batch file, no dice.

For non Azure/trad server machine, piece of cake. The App checks domain joined or not and errors out if not. But someone could have a corp laptop that is Azure but not "domain joined", no AD, so effectively a BYOD device or other not-really-domain machine.

Is there a way...or am I missing something. We don't want some intern on a BYOD machine being able to use software that's meant for Admins with full domain access.

Improve this question
9
  • If the real condition is full domain access, then why not check whether they actually have access to some specific AD resource instead?
    – grawity_u1686
    Commented Jul 24, 2022 at 13:43
  • @user1686 Such as what? These are not customers we site visit nor have prerequisite other than supported Windows client OS. Not snark, but what would that be in your judgement? Is a check of Win32_ComputerSystem enough when it comes to Azure AD joined? We do check that.
    – SKidd
    Commented Jul 24, 2022 at 13:50
  • Addendum, would finding this be proof (even though can be manually added so not bulletproof) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo
    – SKidd
    Commented Jul 24, 2022 at 13:58
  • Well, you say that the program is meant for Domain Admins, so I assume it does something that requires Domain Admin privileges? In that case, what harm would there be in "some intern on a BYOD machine" opening the app, if they already have no AD-level privileges do do anything through it? Alternatively -- if the program requires AD specifically, why not try to retrieve some data from AD directory (e.g. look up the rootDSE entry, which is universally present and accessible), and if the lookup fails that implies it's a non-AD machine?
    – grawity_u1686
    Commented Jul 24, 2022 at 16:15
  • (And, frankly, a broad "is the machine AD-joined" condition can never be bulletproof because if said 'intern' cares enough, they can just set up AD for free at home...)
    – grawity_u1686
    Commented Jul 24, 2022 at 16:15

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .