How To: Allow Standard Users To Join Computers to Your Internal Domain

By default, an authenticated user can join up to 10 computers to a domain.  Once they exceed 10 machines, (s)he will no longer be able to add any more computers to the domain.  Ever.  Neat!

So, in order to allow key users/groups to add computers to the domain, you’ll need to do the following:

1) Hop on an AD domain controller

2) Bring up “Active Directory Users and Computers” (Start > Run > dsa.msc)

3) Right-click on your domain and choose :Delegate Control…”:

   

4) Hit Next on the welcome screen and hit the Add button to add the users and groups you need, and then hit Next again:

   

5) Chick the box for “Join a computer to the domain” and hit Next:

   

6) Hit Finish to complete the wizard

7) Now you’ll need to remove the 10-item-limit… open ADSI Edit (Start > Run > adsiedit.msc)

8) Expand the tree until you see your domain… right-click on it and choose Properties:

   

9) Scroll down until you find the “ms-DS-MachineAccountQuota” item and click Edit:

   

10) Click the Clear button, hit OK, hit OK again, and close ADSI Edit:

   

This should make it so that selected users & groups can join computers to the domain without running up against the 10-item-limit.

views