Change the number of MachineAccountQuota a user can add to AD
The MachineAccountQuota is an Active Directory (AD) attribute that controls the number of computer accounts that a non-administrative (standard) user can create and have it joined to the domain. Therefore, In this article, we shall discuss the steps on how to “Change the number of MachineAccountQuota a user can add to AD”. Please see How to configure a service account for Kerberos delegation, Configure Kerberos Delegation in Windows, and how to Block downloads on Microsoft Edge using GPO on Windows Server 2019 and 2022.
By default, this value is set to 10 which signifies that any standard user can join up to 10 computers to the domain without requiring explicit permission from a Domain Administrator. This behaviour is configured in the Default Domain Controllers Policy in Active Directory as we will see shortly.
Also, see What is GPO and how can it be launched in Windows, how to Configure Kerberos Delegation in Windows, and How to create Microsoft 365 Account.
Why permit the default MachineAccountQuota?
MachineAccountQuota allows organizations to delegate the ability to add computers to the domain without granting users administrative privileges.
This will reduces the need for IT involvement in adding PC(s) to the domain. The following users aren’t restricted by this limitation:
- Users who have delegated permissions on containers in Active Directory to create and delete computer accounts.
- Users in the Administrators or Domain Administrators groups.
What are the Security Implications?
This default setting can lead to abuse or clutter in the directory if not managed properly. This is because, users can potentially create multiple unauthorised computer accounts.
Microsoft recommends setting this value to 0 or another appropriate number, forcing standard users to request administrative approval for adding devices.
Please see how to Prevent Standard Users from Changing BitLocker Password, how to Block IP Addresses Using Group Policy (GPO) in Active Directory, and how to Delete Azure Tenant: Remove Custom Domain from Entra ID.
Determine the default MachineAccountQuota
As mentioned already, by default, a standard user can add 10 computers to the domain. This is a security risk because an attacker could also bring their own PCs into the domain in this way, except you have got other network security implementation to prevent domain join when the user is unable to get an IP address from DHCP based on custom setup.
The value is a property of the domain itself, the domain object. The following command can be used to read the current value, and no administrative rights are required to run it. The value can be changed via PowerShell, or via the ADSIEDIT. Domain admin rights are required for this.
Get-ADObject ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
Change MachineAccountQuota value with PowerShell
To do this with PowerShell, please run the command below. In the example above, “x” is the target value.I will be setting this to zero
Set-ADDomain (Get-ADDomain).distinguishedname -Replace @{"ms-ds-MachineAccountQuota"="0"}
Please see How to join a computer to the Domain, how to Prevent users from saving RDP Credentials on Windows 11, and How to configure user resource limits and restrictions in Linux.
Change MachineAccountQuota value with ADSIEDIT
To change the value via ADSIEdit, launch ADSIEdit from the Server Manager
.
Expand or double-click on “Default naming context”. Right-click on the root object of the domain (DC=xxxx,DC=xxxxxx,DC=com) and select properties.
In the Attribute Editor, search for the ms-DS-MachineAccountQuota property and select the entry. Click Edit.
As you can see below, the default value is 10. Enter the desired value and click “ok”.
I have set this to Zero (0). I will click on Ok and Ok again to close the ADSI Edit wizard. This will prevent non-admin users from adding computers to the domain.
Now, when a standard user tries to add a PC to the domain, the below error will b prompted.
Your computer could not be joined to the domain, You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
If you wish to delegate right to non-domain users, you can as well. I will recommend limiting the default MachineAccountQuota to zero before delegating this right. This is because, delegation does not override the default value. As such, anyone can still add workstations to the domain.
Please see How To Configure a Domain Password Policy, How to setup a Third-Party DNS Server on a Linux Server, and “How to Remove the All Apps Option from Windows Start Menu via GPO /Registry“.
Define who can add devices via Group Policy Objects (GPO)
You can also use Group Policy Objects (GPO) to define who can add machines. This will explicitly define who can add machines.
This method disables or limits the default MachineAccountQuota setting and allows only specific groups or users to add devices to the domain.
To do this, launch the Group Policy Management. Alternatively, you could press Win + R, type gpmc.msc, and press Enter.
Next, you would have to create a new or edit an existing GPO. Navigate through the below
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Locate Add workstations to the domain, and double-click the policy to open it.
- Select Define these policy settings. Please see “How to configure user resource limits and restrictions in Linux“.
- Add the specific group or user(s) you want to allow as defined by your oragisation.
Since I did not create a new GPO, I will not bother about linking it as it is already linked.
FAQs
How can I refresh Kerberos group membership without logging off?
To reflect updated group memberships without a full logoff, you can use the following below
– “runas /user:domain\username cmd” to launch a new process with a fresh access token.
– Use a remote PowerShell session or PsExec to simulate a new logon session.
– Restart relevant services running under the affected account (e.g., for service accounts).
These methods create a new logon session with an updated token. Thereby, allowing group membership changes to take effect.
What does
klist purge actually do in Windows? The “klist purge” command clears all cached Kerberos tickets from the current user’s session, including the Ticket Granting Ticket (TGT). This forces the system to request new Kerberos tickets the next time the user accesses a network resource. It’s useful for troubleshooting Kerberos authentication issues.
Why doesn’t whoami /groups show my newly added Active Directory groups immediately?
The whoami /groups command displays the groups included in your current access token, which is generated at logon. Even if you’ve been added to new AD groups, these changes won’t appear in whoami /groups until you log off and log back in or create a new session with an updated token. Clearing Kerberos tickets with klist purge doesn’t update the access token. Therefore, group membership changes won’t be reflected right away.
I hope you found this article on how to “Change the number of MachineAccountQuota a user can add to AD” very useful. Please feel free to leave a comment below.
