Cyber Security

Securing Active Directory: Who can add computers to the domain? Only the domain admin?

By on ( 7 Comments )

“Only Domain administrators can add computers to the domain.” I can’t count how often I have heared these words. But when installing a new domain, a counter is configured and this counter allows each domain user to add up to 10 computers to the domain. This is the default setting. The setting can be changed and must be considered in the IT security concept.

The ms-DS-MachineAccountQuota

The setting can be found in dsa.msc (enable advanced features!) Open dsa.msc (Active Directory Users and Computers). If not already enabled, enable Advanced Features. Next open the properties of your domain (right click), click on Attribute editor and navigate to the Attribut ms-DS-MachineAccountQuota. Are you surprised? Every user (Domain User) can add up to 10 Computers.

Unbenannt.PNG

1.PNG

Or run a simple One-Liner in PowerShell. Don’t care about the domain name. We call it from Get-ADDomain.

Get-ADObject ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

Unbenannt.PNG

Who added client01 to the domain?

Who has added client01 to the domain? Petra is a domain user and added client01 to the domain. We can see it by running a simple one-liner. Ok, I have to admit it’s a three liner. We examine the ms-DS-CreatorSID attribute of the computer account.

Get-ADComputer client01 -Properties mS-DS-CreatorSID | Select-Object -Expandproperty mS-DS-CreatorSID | Select-Object -ExpandProperty Value | Foreach-Object {Get-ADUser -Filter {SID -eq $_}}

Unbenannt.PNG

Changing the default value

A value of 0 means that domain users are are not allowed to add computer accounts.

Open the properties of the domain and double click ms-DS-MachineAccountQuota. Modify the value. The number represents the number of computers that you want users to be able to add to the domain. I recommend changing it to 0.

Unbenannt.PNG

Or use PowerShell. Again: Don’t worry about the domain name. It will be filled in automatically.

Set-ADDomain (Get-ADDomain).distinguishedname -Replace @{"ms-ds-MachineAccountQuota"="0"}

Unbenannt.PNG

The impact

The user is informed that the maximum number has been reached. The following error occured attempting to join the computer to the domain:

Unbenannt.JPG

See also

How to add computers to the domain see my article Active Directory: How to join a Computer to the Domain using GUI or PowerShell (Step-by-Step)

Categories: Cyber Security, Windows Server

Tagged as: , , ,

Published by Patrick Gruenauer

Microsoft MVP on PowerShell [2018-2024], IT-Trainer, IT-Consultant, MCSE: Cloud Platform and Infrastructure, Cisco Certified Academy Instructor.

7 replies »

  1. Pingback: KrbRelayUp Mitigations – Pyro's Site
  2. Pingback: Fix SCCM OSD Machine Domain Join Issue Ldap_add_s Failed: 0x35 0x216d How To Manage Devices
  4. Pingback: Demoting the last Active Directory Domain Controller with PowerShell « SID-500
  5. Pingback: PowerShell: Configuring Fine Grained Password Policies (PSO) « SID-500
  6. Pingback: Active Directory: How to join a Computer to the Domain using GUI or PowerShell (Step-by-Step) « SID-500

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.