Skip to main content

The MachineAccountQuota is an AD attribute that helps control the number of devices a non-administrative often referred to as a standard user can add to the domain. ​@dips also did a great job enlightening us about the security implication, and how we can monitor and mitigate it. Below is the link to his excellent blog post.

The default value for MachineAccountQuota is 10, which any user within your organisation can add without requiring explicit permission from a Domain Administrator. If this is not your desired outcome, please read and acquaint yourself with the steps to fix this security concern. 

Many blog posts advocate for increasing this limit, discussing steps to do so. This reduces the need for IT involvement in adding PCs to the domain. However, this can lead to clutter in the directory if it is not managed properly. This is why Microsoft has set the default was implemented to prevent misuse.

Determine the Default Machine Account Quota

To determine the default value, kindly run the command below.

Get-ADObject ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

 

This value can be changed via PowerShell, or the ADSIEDIT. Domain admin rights are required for this. Please take a look at the blogpost for the detailed steps and how to configure GPO for certain users only thereby overriding the default MachineAccount Quota.

Change MachineAccountQuota value with PowerShell

To do this with PowerShell, please run the command below. In the example above, "x" is the target value. I will be setting this to zero as shown in the image below.

 

Change MachineAccountQuota value with ADSIEDIT

As mentioned earlier, we can also do this via the ADSI Edit. Launch ADSIEdit from the Server Manager

 

Connect to the default naming context or double-click on "Default naming context". Right-click on the root object of the domain (DC=xxxx,DC=xxxxxx,DC=com) and select properties.

 

In the Attribute Editor, search for the ms-DS-MachineAccountQuota property and select the entry. Click Edit.

As you can see below, the default value is 10. Enter the desired value and click "ok".

I have set this to Zero (0). I will click on Ok and Ok again to close the ADSI Edit wizard. This will prevent non-admin users from adding computers to the domain.

Now, when a standard user tries to add a PC to the domain, the below error will b prompted.

Your computer could not be joined to the domain, You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.

Note: You can also use Group Policy Objects (GPO) to define who can add machines. This will explicitly define who can add machines.

 

Great article ​@Iams3le Nicely explained


Great article ​@Iams3le Nicely explained

Thank you, Dips!


Comment