How to limit how many computers users can add to the domain.

http://support.microsoft.com/en-us/kb/243327/en-us states
The number of workstations currently owned by a user is calculated by looking at the ms-DS-CreatorSID attribute of machine accounts.

To modify Active Directory to allow more (or fewer) machine accounts on the domain, use the Adsiedit tool.

WARNING Using Adsiedit incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Adsiedit can be solved. Use Adsiedit at your own risk.
1.      Install the Windows Support tools if they have not already been installed. This is necessary only for Windows 2000 and Windows Server 2003. For Windows Server 2008 and Windows Server 2008 R2, Adsiedit is installed automatically when you install the Active Directory Domain Services role.
2.      Run Adsiedit.msc as an administrator of the domain. Expand the Domain NC node. This node contains an object that begins with "DC=" and reflects the correct domain name. Right-click this object, and then click Properties.
3.      In the Select which properties to view box, click Both. In the Select a property to view box, click ms-DS-MachineAccountQuota.
4.      In the Edit Attribute box, type the number of workstations that you want users to be able to maintain concurrently.
Click Set, and then click OK

However, I am not following what it meant by Expand the Domain NC node.

 For Step 2, I can go Start, Administrative Tools, Adsi Edit, More Actions, Connect to. Then what is the next steps in and beyond Connections Settings window?
techcodrAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Radhakrishnan RSenior Technical LeadCommented:
Hi,

Are you getting this error? "Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain"

The procedure which you outlined above was for 2000 domain which was happened with 2000 server and XP machines but the procedure still works in 2008 domain.

I believe this won't be required in 2008 domain as i haven't seen such issues where we add several number of computers into domain by using domain users without any issues.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
techcodrAuthor Commented:
What I wanted to do is locked down the adding computers by users to the domain and just give out those permissions. Does not the Windows Server 2008 allow each user to add 10 computers to the domain?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.