Limit to the Number of Workstations Domain Users Can Add to the Domain

Issue | Reason | Resolution

Issue:

In any networked Windows environment it is necessary at some time, to add computers to a domain.  There may be situations where a large number of computers need to be added simultaneously.  In most cases, this will not be a problem.  Very often, the user or users adding the workstations to the domain will be members of the BuiltinAdministrators or Domain Admins group or have been delegated permissions on containers where the computer accounts are being created.  However, this isn’t always the case.  When a user who does not meet these security requirements adds ten workstations to the domain, they will no longer be able to add any more computers without administrator intervention.

Reason:

Microsoft built this limit into Windows 2000 and Windows 2003 to prevent misuse or abuse of this task by unauthorized personnel.  The ‘Add workstations to domain’ privilege is granted to authenticated users by default.  This allows authenticated users to bypass the Access Control List (ACL) to add a workstation to the domain.  Active Directory keeps track of the number of computers added to the domain by an authenticated user by looking at the ms-DS-CreatorSID attribute of machine accounts.

Resolution:

There are three workarounds to this issue.

Solution 1 – Change the Default Limit to the Number of Workstations that can be Joined by a User

  1. Install the Windows 2000/2003 Support Tools by running Setup.exe from the SupportTools folder on the Windows CD.
  2. Run Adsiedit.msc as a Domain Administrator.
  3. Expand the Domain NC node. Right-click the object that begins with “DC=” and select Properties.
  4. In the Select which properties to view box, select Both.
  5. In the Select a property to view box, select ms-DS-MachineAccountQuota.
  6. In the Edit Attribute box, type the number representing the new limit.
  7. Click Set, and then click OK.

Solution 2 – Grant Additional Permissions on the Computer Container (Not Recommended)

  1. Open Active Directory Users and Computers.
  2. Click View, and select Advanced Features.
  3. Right-click the Computers container and click Properties.
  4. Click the Security tab, and click Advanced.
  5. Click the Permissions tab, click to select Authenticated Users, and click View/Edit.
  6. In the Apply To box, ensure that This object and all child objects is selected.
  7. In the Permissions box check the Allow box next to the following permissions:
    1. Create Computer Objects
    2. Delete Computer Objects
  8. Click OK.

Solution 3 – Pre-create the Computer Account in Active Directory

  1. Open Active Directory Users and Computers.
  2. Right-click the Computers container (or whichever container will contain the computer accounts when added to the domain)
  3. Click New, and select Computer.
  4. Type the name of the computer you are adding.
  5. Click Change. Select the user or group that will be joining this computer to the domain. Click OK.
  6. If Windows NT 4.0 and previous operating systems will use this computer name object, select Allow pre-Windows 2000 computers to use this account check box. Click OK.

References:

The following links have information regarding this issue.

Default Limit to Number of Workstations a User Can Join to the Domain
http://support.microsoft.com/kb/243327/en-us

Domain Users Cannot Join Workstation or Server to a Domain
http://support.microsoft.com/kb/251335/

 

———————————————————–
TechNote Published By: ERGOS
*ERGOS TechNotes are provided solely for recommendation purposes and may not resolve each unique case. ERGOS will not be held liable for any issues arising from implementing the recommendations provided in this documentation.

"*" indicates required fields