Windows

Increase the number of workstations a user can join to a domain

Change the number of machines a user can join to a domain by editing the ms-DS-MachineAccountQuota attribute with ADSI Edit.

In last week's TR Dojo Challenge question, I asked TechRepublic members how to increase the number of machines a user could join to a domain. The question was inspired by an email I received from TechRepublic member Alexandru P. The help desk technicians in Alexandru's organization are currently limited in the number of machines they can add to their Windows domain, and this has become a problem.

By default, Active Directory allows members of the Authenticated Users group to join up to 10 computer accounts to the default Computers container. If a user tries to add more than 10 workstations, they are likely to receive one of the following error messages:

"The machine account for this computer either does not exist or is unavailable."

"Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased."

"The following error occurred attempting to join the domain "domain.com".

Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased."

According to MSKB articles 251335 and 314462, there are three ways to resolve this problem:

  1. Pre-Create the User's Computer Account
  2. Grant the "Create Computer Objects" and "Delete Computer Objects" Access Control Entries (ACEs) to the User
  3. Override the Default Limit of the Number of Computers an Authenticated User Can Join to a Domain

While the first two solutions will solve the problem, it's the third one that we're most interested in, as it actually changes the default limit on the number of workstations a user can join to the domain.

Using ADSI Edit to set the ms-DS-MachineAccountQuota attribute

The number of workstations a user can join to a domain is configured by the ms-DS-MachineAccountQuota attribute. Using the Active Directory Service Interfaces Editors (ADSI Edit) you can manage Active Directory objects and attributes.

To run ADSI Edit on Windows Server 2003 or Windows XP machines, you'll need to install Windows Server 2003 Support Tools, which you'll find on the Windows Server 2003 CD or the Microsoft Download Center. If you're running Windows Server 2008, ADSI Edit is installed as part of the Active Directory Domain Services (AD DS) role, which makes the server a domain controller. You can also install the Remote Server Administration Tool (RSAT) on server that aren't domain controllers.  On machines running Windows Vista SP1 or Windows 7, you must install RSAT to use ADSI Edit.

Once you have ADSI Edit installed, you can change the ms-DS-MachineAccountQuota attribute with the following steps:

  1. Click Start | Run | and enter adsiedit.msc.
  2. Expand the Domain node and locate the object that begins with "DC=" and contains the domain name of the domain your interested in.
  3. Right on the "DC=" object and click Properties.
  4. Locate the ms-DS-MachineAccountQuota attribute on the Attribute Editor tab and click Edit.
  5. On the Integer Attribute Editor dialog, enter the number of workstations you want users to be able to add. You can enter 0 to prevent users from joining any workstations to the domain or clear the value to remove the limit.
  6. Once you've entered the appropriate value, click OK to close the Integer Attribute Editor dialog box and OK again to close the Properties box.
  7. Close ADSI Edit.

Using the command line or VBScript to set the ms-DS-MachineAccountQuota attribute

While most Microsoft documentation on editing the ms-DS-MachineAccountQuota attribute relies on the ADSI edit method outlined above, you could also use the command line or VBScript. For examples of these methods, check out the article "Recipe 8.11. Changing the Maximum Number of Computers a User Can Join to the Domain," from the CodeIdol.com.

And the TechRepublic swag goes to...

Several TechRepublic members suggested using ADSI Edit to change the ms-DS-MachineAccountQuota attribute, but I'm awarding the coffee mug and laptop sticker to rhino777, who was first to answer the question--a mere 16 minutes after I posted it. Congratulations.

Thanks to everyone who submitted an answer. If you don't see your answer here, be sure to give this week's question, "TR Dojo Challenge: How do you safely reduce the size of the WinSxS folder?" a try.

You can also sign up to receive the latest from the TR Dojo through one or more of the following methods:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

1 comments
chrisflusche
chrisflusche

The accepted solution is not the best method. The orginal question asked how to perform this task for "a user" - not for all users. The solution you have accepted changes the value for all users, which is a security issue and doesn't comply with Active Directory best practices. The general idea here is that you should always go with the option that resolves the problem, while decreasing security as little as possible.

Editor's Picks