how to increase the number of machines a user could join to a domain

how to increase the number of machines a user could join to a domain. The help desk technicians currently limited in the number of machines they can add to their Windows domain, and this has become a problem.

By default, Active Directory allows members of the Authenticated Users group to join up to 10 computer accounts to the default Computers container. If a user tries to add more than 10 workstations, they are likely to receive one of the following error messages:

"The machine account for this computer either does not exist or is unavailable."

"Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased."

"The following error occurred attempting to join the domain "domain.com".

Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased."

According to MSKB articles 251335 and 314462, there are three ways to resolve this problem:

1. Pre-Create the User's Computer Account
2. Grant the "Create Computer Objects" and "Delete Computer Objects" Access Control Entries (ACEs) to the User
3. Override the Default Limit of the Number of Computers an Authenticated User Can Join to a Domain

While the first two solutions will solve the problem, it's the third one that we're most interested in, as it actually changes the default limit on the number of workstations a user can join to the domain.

Using ADSI Edit to set the ms-DS-MachineAccountQuota attribute

The number of workstations a user can join to a domain is configured by the ms-DS-MachineAccountQuota attribute. Using the Active Directory Service Interfaces Editors (ADSI Edit) you can manage Active Directory objects and attributes.

To run ADSI Edit on Windows Server 2003 or Windows XP machines, you'll need to install Windows Server 2003 Support Tools, which you'll find on the Windows Server 2003 CD or the Microsoft Download Center. If you're running Windows Server 2008, ADSI Edit is installed as part of the Active Directory Domain Services (AD DS) role, which makes the server a domain controller. You can also install the Remote Server Administration Tool (RSAT) on server that aren't domain controllers.  On machines running Windows Vista SP1 or Windows 7, you must install RSAT to use ADSI Edit.

Once you have ADSI Edit installed, you can change the ms-DS-MachineAccountQuota attribute with the following steps:

1. Click Start | Run | and enter adsiedit.msc.
2. Expand the Domain node and locate the object that begins with "DC=" and contains the domain name of the domain your interested in.
3. Right on the "DC=" object and click Properties.
4. Locate the ms-DS-MachineAccountQuota attribute on the Attribute Editor tab and click Edit.
5. On the Integer Attribute Editor dialog, enter the number of workstations you want users to be able to add. You can enter 0 to prevent users from joining any workstations to the domain or clear the value to remove the limit.
6. Once you've entered the appropriate value, click OK to close the Integer Attribute Editor dialog box and OK again to close the Properties box.
7. Close ADSI Edit.