Block ADDS Domain Join of Computers for Domain Users

Hi All,

You might think that only Domain Administrators are able to add Computers to the Active Directory Domain. But that’s not true.

• AD Schema documentation MS-DS-Machine-Account-Quota attribute

The number of computer accounts that a user is allowed to create in a domain.

As a result, a regular Domain User can join up to 10 Computers to a Domain.

If you open up adsiedit.msc and check the Properties on the Domain container and search for the Active Directroy Attribute “ms-DS-MachineAccountQuota” you can see that it has a value of “10”.

Note: if you have a Root Domain with several Child Domains, you have to change the Value in every Domain

You can query that also with PowerShell

Import-Module ActiveDirectory
Get-ADObject ((Get-ADDomain).distinguishedname) -Properties "ms-DS-MachineAccountQuota"

To change the Value to “0” you can use the PowerShell command below.

Set-ADDomain (Get-ADDomain).distinguishedname -Replace @{"ms-ds-MachineAccountQuota"="0"}
Get-ADObject ((Get-ADDomain).distinguishedname) -Properties "ms-DS-MachineAccountQuota"

Now it is set to “0” and can be found also in ADSI Edit

Result “Domain Join”

Let’s try to Join a Computer to a Domain with a regular Domain User. I use this Windows 11 VM for testing purposes.

Go to Settings > System > About and click on “Domain or Workgroup”

On the Register “Computer Name” click on “Change”

In the “Member of” section select “Domain” and enter the FQDN of the Domain you want to join

Now we provide the credentials of a regular Domain User

Now you receive an errormessage.

Error:
Your computer could not be joined to the domain, You have
exceeded the maximum number of computer accounts you are
allowed to create in this domain. Contact your system
administrator to have this limit reset or increased.

Summary:

We have made sure, no Domain Users can join Machines to Active Directory

Regards
Andres Bohren