8.9. Changing the Maximum Number of Computers a User Can Join to the Domain

Problem

You want to grant users the ability to join more or fewer than 10 computers to a domain. This limit is called the machine account quota.

Solution

Using a graphical user interface

  1. Open ADSI Edit.

  2. Right-click on the domainDNS object for the domain you want to change and select Properties.

  3. Edit the ms-DS-MachineAccountQuota attribute and enter the new quota value.

  4. Click OK twice.

Using a command-line interface

In the following LDIF code replace <DomainDN> with the distinguished name of the domain you want to change and replace <Quota> with the new machine account quota:

dn: <DomainDN>
changetype: modify
replace: ms-DS-MachineAccountQuota
ms-DS-MachineAccountQuota: <Quota>
-

If the LDIF file was named change_computer_quota.ldf, you would then run the following command:

> ldifde -v -i -f change_computer_quota.ldf

Using VBScript

' This code sets the machine account quota for a domain.
' ------ SCRIPT CONFIGURATION ------
intQuota  = <Quota>
strDomain = "<DomainDNSName>"  ' e.g. emea.rallencorp.com
' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objDomain = GetObject("LDAP://" & objRootDSE.Get("defaultNamingContext"))
objDomain.Put "ms-DS-MachineAccountQuota", intQuota
objDomain.SetInfo
WScript.Echo "Updated user quota to " & intQuota

Discussion

In a default Active Directory installation, members of the Authenticated Users group can add and join up to 10 computer ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial