Step-By-Step: Allowing or Preventing Domain Users From Joining Workstations to the Domain

By default, an Active Directory domain environment allows any authenticated domain user the ability to add workstations to said domain 10 times. With that being said, there may come a time and organization may require to increase or decrease this limit.  An example of this would be an authenticated user bringing their personal Surface Pro into the office. Unless there is a block in place via NPS (network policy server) or network level port protection is enabled, the user easily connects the personal device to the domain and could become a threat to the organization down the road. 

Based on this scenario, the following post will run through the steps on editing the amount of device that can be connected or will be blocked all together. This demo uses a Windows Server 2012 R2 domain controller, however similar steps can be used for in a Windows Server 2008 environment as well.

Note– This limit is do not apply for any user account which is a member of domain admins or enterprise admins group.

  1. Log in to the DC server as domain admin or enterprise admin
     
  2. Go to Server Manager > Tools > ADSI Edit
     
    limit1
     
  3. In console expand default naming context and select the correct domain
     
    Note: in forest there can be different domains based on the configuration
     
    limit2
     
  4. Then right click on it and select properties 
     
    limit3
     
  5. Once list is open find the attribute called ms-DS-MachineAccountQuota. This is the attribute responsible for above limit. By default its set to 10. If set it to 0 it will disable this limit and otherwise the value can adjust based on the requirements.
     
    limit4
      
  6. Once done click on ok until you exit from the popup window.