Re: Resetting the ms-DS-MachineAccountQuota attribute for a single use

Giganews Newsgroups
Subject: Re: Resetting the ms-DS-MachineAccountQuota attribute for a single use
Posted by:  Paul Bergson (pbergson@allete_nospam.com)
Date: Wed, 7 Jun 2006

Method 3: Override the Default Limit of the Number of Computers an
Authenticated User Can Join to a Domain
You can override the default limit, using either of the following methods: .
Use the Ldp (Ldp.exe) tool included in the Microsoft Windows 2000 Resource
Kit.
      . Use an Active Directory Services Interface (ADSI) script to increase
or decrease the value of the Active Directory ms-DS-MachineAccountQuota
attribute. To do this: 1. Install the Windows 2000 Support tools if they
have not already been installed. To install these tools, run Setup.exe from
the Support\Tools folder on the Windows 2000 Server or the Windows 2000
Professional CD-ROM.
            2. Run Adsiedit.msc as an administrator of the domain.
            3. Expand the Domain NC node. This node contains an object that
begins with "DC=" and reflects the correct domain name. Right-click this
object, and then click Properties.
            4. In the Select which properties to view box, click Both.
            5. In the Select a property to view box, click
ms-DS-MachineAccountQuota.
            6. In the Edit Attribute box, type a number. This number
represents the number of workstations that you want users to be able to
maintain concurrently.
          Click Set, and then click OK.

      Increase the amount defined in step 6

      It would be much simpler though to Delegate the user in question the
ability to create machine accounts in the specfic OU.  Just start the
Delegate Wizard select the user and grant them create user machine accounts.

      Here is a start for you.
    http://searchwindowssecurity.techtarget.com/generic/0,295582,sid45_gci1050014,00.html

      I highly recommend the Delegation and discourage the Override limit.
The limit impacts all users in your domain.  The Delegation is user specific
and you can control who can create what.  As a matter of fact best practice
would be to grant a Global Group the delegation and then place the user you
want to create within this group.  That way as people change positions it is
as simple as removing or adding users to this group to provide the
permissions they need with out you having to change the permissions.

--
Paul Bergson  MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

"Kruse" <Kru…@discussions.microsoft.com> wrote in message
news:7C683138-55F5-43DB-9BC2-0959C45EE5…@microsoft.com...
> In KB251335, Microsoft states that it is possible to reset the limit, when
> an
> user has exceeded the maximum number of computer accounts he is allowed to
> create in this domain. But how do I do this.

Replies

None

In response to

Resetting the ms-DS-MachineAccountQuota attribute for a single use posted by Kruse on Wed, 7 Jun 2006