Prevent users from joining workstations to domain (at their will)

March 31, 2008

Every domain has a default setting for ms-DS-MachineAccountQuota value 10. This means that any user can add up to 10 machines to a domain. You can modify this object in directory by using ADSIedit tool to prevent this behavior.

Warning: Using ADSIedit can have adverse effects on your Active Directoy environment, if not handled with proper knowledge.

Launch ADSIedit from run command, ADSIedit.msc

Under Domain Configuration, expand and find your domain. Right click and go to the Properties

Look for the following property and modify it to ‘0′

Hit OK, Apply and exit

How does it keep track of how many machines have you added based on your user ID/account ?

For a computer account created by domain users, the account has ‘ms-DS-CreatorSID’ attribute to indicate the creator user. When a user adds a computer to the domain, a process enumerates the ‘ms-DS-CreatorSID’ attribute on every computer account in the domain and calculates if the sum exceeds the current quota for that user.

The ‘ms-DS-CreatorSID’ and ‘ms-DS-MachineAccountQuota’ with default value 10 are also available in Windows Server 2008 AD DS.

Note: The ‘ms-DS-CreatorSID’ attribute will be unset in the computer account that is pre-created in Active Directory Users and Computers MMC or joined by domain administrators.

http://support.microsoft.com/kb/243327

Filed under: Active Directory, Windows |