Active Directory - Prevent Domain Users to join computers into domain

pest_control Sympthoms
search Causes
construction Fix/Workaround/Solution

Method 1 – Editing the ms-DS-MachineAccountQuota attribute

Using ADUC
  1. Open Active Directory Users and Computers (dsa.msc)
  2. On the menu click on “View*” then tick the option “Advanced Features
  3. Right click on your domain name on the right column, then “Properties
  4. Click on the “Attribute Editor” tab
  5. Find the “ms-DS-MachineAccountQuota“ attribute and click “Edit
  6. Set the value from 10 to 0, then save
Using PowerShell
  1. Open an elevated PowerShell
  2. Run the command
    Set-ADDomain (Get-ADDomain).distinguishedname -Replace @{"ms-ds-MachineAccountQuota"="0"}
You can check if the modification is working by either trying to add a computer to the domain with an unprivileged user account credentials or by running this PowerShell script:
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota


Method 2 – Editing the Domain Controllers default group policy

  1. Open Group Policy Management Console (gpmc.msc)
  2. Locate the “Domain Controllers” OU and expand it
  3. Right click on “Default Domain Controllers Policy” then “Edit
  4. Expand:
    • Computer Configuration
    • Policies
    • Windows Settings
    • Security Settings
    • Local Policies
    • User Rights Assignment

  5. Find the policy named “Add workstations to domain
  6. Edit the policy by removing the “Authenticated Users” group and adding the security group delegated to adding workstations to the domain
  7. Click “Apply” and “Ok”, then close the Group Policy Management Console

school Further considerations

You can read more about the ms-DS-MachineAccountQuota attribute on the official Microsoft Documentation.



Article ID: SYS-WIN-0001