asked on Server 2016 exceeded the maximum number of computer accounts
Hello Experts, I have a new Windows Server 2016 configured as a domain controller. I was adding workstations and was stopped on number 11 with "Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain." My boss purchased 6 Server 2016 10 user CAL packs but I have no idea where to put them. Any help would be great.
Windows OSWindows 10AzureWindows Server 2016
Last Comment
John Lewis
ASKER
Hi Experts, I returned to the culprit computer and in the background was the familiar dialog box asking for the username and password of an account with the authority to join the domain. I'm not sure why that box didn't appear the first ten times. Anyhow, I'm back in business and this question is no longer a high priority. I would like to know what happened if anyone has experienced this before. I'm also curious if I need to do anything with these client access license cards.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
The ms-DS-MachineAccountQuota attribute is the first thing that any sane administrator sets to 0 right after AD is installed.
You definitely do not want just any user to be able to add any machine to the domain. I have no idea why MS decided to allow 10 as default.
Note that you don't even need AdsiEdit anymore, you can just do that by right-clicking the domain in the regular ADUC console, open the properties, and use the "Attribute Editor" tab.
Or here's a PowerShell command that you can just paste into an elevated PS console:
You definitely do not want just any user to be able to add any machine to the domain. I have no idea why MS decided to allow 10 as default.
Note that you don't even need AdsiEdit anymore, you can just do that by right-clicking the domain in the regular ADUC console, open the properties, and use the "Attribute Editor" tab.
Or here's a PowerShell command that you can just paste into an elevated PS console:
Set-ADObject (Get-ADDomain).DistinguishedName -Replace @{'ms-DS-MachineAccountQuota'=0}
David is correct.
Do not alter this quota, in fact, from a security perspective we usually do not allow any joins without explicit delegated permissions.
Create a delegation group and delegate Join Domain rights to it. Add the appropriate Role groups to this Delegation group.
You can find the Join a computer to the domain delegation template in my article below
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
![dgjoin.png]()
Do not alter this quota, in fact, from a security perspective we usually do not allow any joins without explicit delegated permissions.
Create a delegation group and delegate Join Domain rights to it. Add the appropriate Role groups to this Delegation group.
You can find the Join a computer to the domain delegation template in my article below
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
ASKER
Thanks everyone. I eventually got all 50 workstations joined to the domain without any further issue. I appreciate your help.