How to change the attribute ms-DS-MachineAccountQuota

By default, In the Microsoft Active Directory, members of the authenticated user group can join up to 10 computer accounts in the domain. This value is defined in the attribute ms-DS-MachineAccountQuota on the domain-DNS object for a domain. In this post, I want to show you how to change the value of this attribute using the ADSIEdit Tool and Windows PowerShell. To do this, we set the attribute value to 0, once this is done, users must have explicit permissions in Active Directory to join computers to a domain. Requirements:

Remote Server Administration Tools for Windows 10, To learn how to install them, see this link.
PowerShell Active Directory module. To learn how to install this module, see this link.

Using the Adsiedit tool.>

Using the Adsiedit tool. #

First, open the ADSI Edit MMC snap-in ( adsiedit.msc ) and connect to the Domain Naming Context. To connect it to your Active Directory. you must choose the Connect to command from the Action menu. The Connection Settings dialog box will appear. You must select the naming context to which you want to connect. In this case, the default values are a

This node contains an object that begins with “DC=” and reflects the correct domain name. Right-click this object, and then click Properties.

and then, edit the ms-DS-MachineAccountQuota attribute and enter the new value.

Using PowerShell>

Using PowerShell #

We can also make this change using Windows PowerShell. First, we will use the Get-ADObject cmdlet to check the current value of the attribute we want to modify.

Get-ADObject `
    -Identity ((Get-ADDomain).distinguishedname) `
    -Properties ms-DS-MachineAccountQuota

And then using the Set-ADomain cmdlet we modify the attribute. Run the following PowerShell command as administrator:

Set-ADDomain `
    -Identity <DomainName> `
    -Replace @{"ms-DS-MachineAccountQuota"="0"}

Thanks for reading my post. I hope you find it useful.

You can learn more about the ms-DS-MachineAccountQuota attribute here.