Active DirectoryMicrosoft TechnologiesWindows Server

How to allow/prevent domain users from join workstations to domain?

In an active directory domain environment by default any authenticated user from domain, can add workstations to domain up to 10 times. But there are situations where you may need to increase this limit or completely disable this limit.

For ex- Let’s assume an employer bring his laptop in to office and plug it in to company network. Unless its control via NPS (network policy server) or network level port protection user can simply add it to the company domain using his/her user credentials. It’s defiantly a threat to the organization’s network and data.

On another example let’s assume we restructured company domain hierarchy and we need to change domain to the different domain. If the company have 500+ workstations it will take days to move them to the new domain. But if we adjust this limit we can get help from department leads, managers to help with the process without delegating permissions.

So based on the requirement, let’s see how we can edit this limit. In demo I am using a domain controller which runs windows server 2012 R2. But same steps can use for server 2008 environment as well.

Note – This limit is do not apply for any user account which is a member of domain admins or enterprise admins group.

1)    Log in to the DC server as domain admin or enterprise admin.
2)    Go to Server Manager > Tools > ADSI Edit

limit1

3)    In console expand default naming context and select the correct domain. ( in forest there can be different domains based on the config )

limit2

4)    Then right click on it and select “properties

limit3

5)    Once list is open find the attribute called ms-DS-MachineAccountQuota. This is the attribute responsible for above limit. By default its set to 10. If set it to 0 it will disable this limit and otherwise the value can adjust based on the requirements.

limit4

6)    Once done click on ok until you exit from the popup window.

This is the end of the post and if you have any questions feel free to contact me on rebeladm@live.com

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Cyber SecurityMicrosoft DefenderMicrosoft Technologies

Microsoft Defender for Identity Part 02 – Create Directory Service Account

In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *