pest_control Sympthoms
- You might have noticed that users that are not members of the Domain Admin group are adding computers to the AD domain
- TIP: You can look for event ID 4741 in the Domain Controller “Security” event log to see who added a computer to the domain
search Causes
- This is expected behavior. Members of the Domain Users group can add up to 10 computers to the AD domain
construction Fix/Workaround/Solution
Method 1 – Editing the ms-DS-MachineAccountQuota attribute
Using ADUC
- Open Active Directory Users and Computers (dsa.msc)
- On the menu click on “View*” then tick the option “Advanced Features“
- Right click on your domain name on the right column, then “Properties“
- Click on the “Attribute Editor” tab
- Find the “ms-DS-MachineAccountQuota“ attribute and click “Edit“
- Set the value from 10 to 0, then save
- Open an elevated PowerShell
- Run the command
Set-ADDomain (Get-ADDomain).distinguishedname -Replace @{"ms-ds-MachineAccountQuota"="0"}
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuotaMethod 2 – Editing the Domain Controllers default group policy
- Open Group Policy Management Console (gpmc.msc)
- Locate the “Domain Controllers” OU and expand it
- Right click on “Default Domain Controllers Policy” then “Edit”
- Expand:
- Computer Configuration
- Policies
- Windows Settings
- Security Settings
- Local Policies
- User Rights Assignment
- Find the policy named “Add workstations to domain”
- Edit the policy by removing the “Authenticated Users” group and adding the security group delegated to adding workstations to the domain
- Click “Apply” and “Ok”, then close the Group Policy Management Console
school Further considerations
You can read more about the ms-DS-MachineAccountQuota attribute on the official Microsoft Documentation.
Article ID: SYS-WIN-0001