incomplete.io

active directory domain join quotas

Joining a computer to an Active Directory domain, as described in more detail elsewhere, consists of creating a computer account object and setting some attributes and a password on it. In the case where the credentials used to perform the join belong to a user that possesses the SeMachineAccountPrivilege user account privilege, these domain joins are permitted. Delegating specific OUs or objects may also allow other unprivileged users to perform domain joins.

Out of the box, Microsoft Active Directory on Windows 2000 and later also allows users (members of the Authenticated Users group) to also perform domain joins, but with a quota. The default quota means that most users may join up to ten new machines to the domain.

Exceeding this limit will result in the user performing the domain join being shown a "Quota Exceeded" message, or the application being returned NT_STATUS_QUOTA_EXCEEDED. Accurate, but not necessarily intuitive when many tend to think of file I/O operations when dealing with quotas.

This quota may be modified by altering the ms-DS-MachineAccountQuota LDAP attribute. This attribute can be found on the root object of the domain.

LDIF output containing a relevant subset of attributes might look like the following:

dn: DC=incomplete,DC=io
objectClass: top
objectClass: domain
ms-DS-MachineAccountQuota: 10

see also

Twitter: @IncompleteIO