24 December, 2010

MachineAccountQuota

By default, a User in a domain environment, can join 10 client machines to the domain without any administrative privileges.

The quota for the user to join the machine is 10. This value can be modified to increase security.
The attribute where the quota is stored in active directory is "msDS-MachineAccountQuota"

Example
We have a User "User1" in Active Directory who is the Member of "Domain Users" group only


The attribute "msDS-MachineAccountQuota" can be located in domain partition properties
Be default, the value of msDS-MachineAccountQuota is 10


Lets change the value of msDS-MachineAccountQuota to 1






Lets now join this machine to the domain (Currently we are logged on to this machine as "User1")




User1 was able to join the machine to the domain



Lets try to join another machine to the domain (Currently we are logged on to this machine as User1)





Oops... We got the Err...



* With inputs from Pankaj Singh and Preeti Saseendran