Most of you know the limit of 10 times authenticated users can join machines to a domain. Upping the limit, or removing it is a very simple thing to do, however everytime someone asks me, I have to go back to look it up again. At least if I have it on my own blog, I'll know where to start looking next time.
The Active Directory attribute you need to change is mS-DS-MachineAccountQuota which is a property of the domain object. Here's the steps to change it:
- Start ADSI Edit (start/run/adsiedit.msc)- Expand out the Domain node, right click on DC=<yourdomain>,DC=com and select properties- Scan down to ms-DS-MachineAccountQuota- Modify the value as appropriate, or clear the value to remove the limit entirely.
Thanks a million. This really helps.
One thing I really wanted to do / ask... Is it possible to SET this on particular USER. Like we do have a user account which we only use for joining machines to domain and I was looking for a way where in I could increase the limit for this account to say 100.
Sure it is possible!
Md.AthifKhaleel AT Wsus DOT Info
Hi Athif - I'm not aware of anything which allows you to configure this by use and don't believe it is possible - the attribute I mentioned is on the domain unfortunately. Of course, administrators aren't affected by this limit, but that probably isn't what you're looking for as an answer.
When joining a machine to the domain using properties of 'My Computer', the object will be created in AD under Computers (CN), but by default is assigned 'Managed By' permissions to domain admins.
When machine is removed from domain, it doesn't remove it from AD (at most disables). So now if regular user attempts to add same machine back to domain, they won't be able to since Domain Admins were delegated these permissions by default.
Changing the Managed By to another user seems to work sometimes, but not always.
Is there an easier way to be sure Authenticated Users will always be able to join machine to domain even if it already exists in AD.
I guess I am really looking to give Computer CN permissions to Authenticated Users, but I am not 100% sure that would work the way I expect or if there is a better way.
I'm looking to deny all users the right to join machines to Active Directory, except for the people in the IT Support groups. If I set your answer above to 0, and then grant the Join Domain right to those people in IT Support, doesn't the most restrictive apply? How do I do what I need to do?
Mike - this is out of my area of expertise since moving to the Hyper-V team. I would recommend you ask the directory services team - their blog is at http://blogs.technet.com/askds/