How to limit how many computers users can add to the domain.

http://support.microsoft.com/en-us/kb/243327/en-us states
The number of workstations currently owned by a user is calculated by looking at the ms-DS-CreatorSID attribute of machine accounts.

To modify Active Directory to allow more (or fewer) machine accounts on the domain, use the Adsiedit tool.

WARNING Using Adsiedit incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Adsiedit can be solved. Use Adsiedit at your own risk.
1.      Install the Windows Support tools if they have not already been installed. This is necessary only for Windows 2000 and Windows Server 2003. For Windows Server 2008 and Windows Server 2008 R2, Adsiedit is installed automatically when you install the Active Directory Domain Services role.
2.      Run Adsiedit.msc as an administrator of the domain. Expand the Domain NC node. This node contains an object that begins with "DC=" and reflects the correct domain name. Right-click this object, and then click Properties.
3.      In the Select which properties to view box, click Both. In the Select a property to view box, click ms-DS-MachineAccountQuota.
4.      In the Edit Attribute box, type the number of workstations that you want users to be able to maintain concurrently.
Click Set, and then click OK

However, I am not following what it meant by Expand the Domain NC node.

 For Step 2, I can go Start, Administrative Tools, Adsi Edit, More Actions, Connect to. Then what is the next steps in and beyond Connections Settings window?
techcodrAsked:
Who is Participating?
 
Radhakrishnan RSenior Technical LeadCommented:
Hi,

Are you getting this error? "Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain"

The procedure which you outlined above was for 2000 domain which was happened with 2000 server and XP machines but the procedure still works in 2008 domain.

I believe this won't be required in 2008 domain as i haven't seen such issues where we add several number of computers into domain by using domain users without any issues.
0
 
techcodrAuthor Commented:
What I wanted to do is locked down the adding computers by users to the domain and just give out those permissions. Does not the Windows Server 2008 allow each user to add 10 computers to the domain?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.